CVE request: mldonkey arbitrary file download vulnerability

[Florian Weimer <fw () deneb enyo de>]

mldonkey in version 2.9.7 and earlier permits remote attackers to
download arbitrary files accessible to the mldonkey daemon, using
crafted requests to the HTTP console.

<https://savannah.nongnu.org/bugs/?25667>

(The proposed patch deals with this in a rather odd place.)