[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#767275: marked as done (unblock: wget/1.16-1)



Your message dated Thu, 30 Oct 2014 12:02:08 +0000
with message-id <20141030120208.GA30538@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#767275: unblock: wget/1.16-1
has caused the Debian Bug report #767275,
regarding unblock: wget/1.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
767275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767275
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear lovely release team,

TL;DR: 
# CVE-2014-4887
unblock wget/1.16-1
age-days 2 wget/1.16-1

wget 1.16 in unstable currently fixes CVE-2014-4887:
Absolute path traversal vulnerability in GNU Wget before 1.16, when
recursion is enabled, allows remote FTP servers to write to arbitrary
files, and consequently execute arbitrary code, via a LIST response that
references the same filename within two entries, one of which indicates
that the filename is for a symlink.

This is rather a rather nasty security bug, so should probably get into
testing a) before the freeze (which it won't do at the moment) and b)
before it gets tangled in the nettle transition (which hopefully won't
happen, but you know what happens sometimes with transitions...)

Thanks!
Neil

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (650, 'testing'), (500, 'testing-updates'), (500, 'testing-proposed-updates'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
On Wed, Oct 29, 2014 at 06:54:57PM +0000, Neil McGovern wrote:
> TL;DR: 
> # CVE-2014-4887
> unblock wget/1.16-1
> age-days 2 wget/1.16-1
> 
> wget 1.16 in unstable currently fixes CVE-2014-4887:
> Absolute path traversal vulnerability in GNU Wget before 1.16, when
> recursion is enabled, allows remote FTP servers to write to arbitrary
> files, and consequently execute arbitrary code, via a LIST response that
> references the same filename within two entries, one of which indicates
> that the filename is for a symlink.

Thanks for the heads up. It's a new upstream with quite some other changes,
so I've compromised at 5 days.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply to: