Lack of wget-ssl (was: Accepted wget 1.8.1-6.1 (i386 source))
On Thu, 12 Dec 2002 at 17:37:36 -0500, Wichert Akkerman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
[...]
> Date: Wed, 11 Dec 2002 12:00:49 +0100
> Source: wget
> Binary: wget
> Architecture: source i386
> Version: 1.8.1-6.1
> Distribution: stable-security
> Urgency: medium
> Maintainer: Noel Koethe <noel@debian.org>
> Changed-By: Wichert Akkerman <wakkerma@debian.org>
> Description:
> wget - retrieves files from the web
> Changes:
> wget (1.8.1-6.1) stable-security; urgency=medium
> .
> * Non-maintainer upload by security team
> * Fix directory traversal problem in FTP client
> * Fix buffer overrun in url_filename function
> Files:
> 97af60040e8d7a2cd538d18a5120cd87 1217 web optional wget_1.8.1-6.1.dsc
> 69f96b6608e043e0d781061a22e90169 9939 web optional wget_1.8.1-6.1.diff.gz
> afc976eaaf4cd416f8eedd347d18367b 332394 web optional wget_1.8.1-6.1_i386.deb
>
[...]
I use stable (woody).
Is wget-ssl also vulnerable? Probably yes.
At first, I was surprised that I didn't find any wget-ssl package at
Debian's "search packages" page (although 'apt-cache show wget-ssl'
shows it - but apparently just because I've got this package installed).
After some searching, I've come to a message by Noel Koethe dated
14 Jul 2002:
http://lists.debian.org/debian-devel/2002/debian-devel-200207/msg00683.html
contaning this excerpt:
"For unknown reason the "wget-ssl" package is removed
from woody. Anybody knows why?
I requested a removal of wget-ssl for sid (#148441) because
wget 1.8.2 has https support in the wget package in main.
Please reinsert wget-ssl to woody or better use wget 1.8.2
for woody."
Unfortunately, that letter wasn't answered at all.
I'm quite disappointed because of that. Somebody erroneously (most
probably) removed wget-ssl from woody and later he didn't correct his
mistake, nor even answered Noel's request.
What can I do if I want to have https support in wget installed on my
systems? I can't uninstall wget-ssl and install wget from woody as it
doesn't support https.
Am I to use wget from "testing" (1.8.2-5)? Is it safe?
Regards
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
Reply to: