Re: wget CVE-2006-6719 fixed since some years
Hi!
On Tue, Oct 04, 2016 at 01:40:44PM +0200, Salvatore Bonaccorso wrote:
> Hi Noel,
>
> On Tue, Oct 04, 2016 at 01:25:53PM +0200, Noël Köthe wrote:
> > Hello,
> >
> > https://security-tracker.debian.org/tracker/source-package/wget ;
> > lists CVE-2006-6719 and I checked if the patch is already included in
> > the Debian package.
> >
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=bd7f4ef701ce5db64659db496d3f47aeedfadac2
> > is the included upstream patch but not marked with CVE by upstream.:(
> >
> > The patch is included in wget Debian in oldstable 1.13.4.3-(If needed I
> > can check since which version it got added).
>
> Can you determine which version which entered back then unstable did
> contain the fix? We want to be as exact as possible regarding the
> fixing version).
>
> > The security-tracker should show it as "Resolced issue".
>
> Sure, as soon we have the fixing version, thanks a lot for
> investigating and pinging.
Ok I think I got it. I commited attached changes for the
security-tracker.
Regards,
Salvatore
>From a32082a596358d3ab45a660af02b462ada1dc621 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Oct 2016 13:47:45 +0200
Subject: [PATCH] Add information for CVE-2016-6719 an old wget issue
---
data/CVE/list | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/data/CVE/list b/data/CVE/list
index 421d01f..07defc0 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -190929,8 +190929,9 @@ CVE-2006-6721 (Multiple cross-site scripting (XSS) vulnerabilities in shout.php
CVE-2006-6720 (PHP remote file inclusion vulnerability in admin/index_sitios.php in ...)
NOT-FOR-US: Azucar CMS
CVE-2006-6719 (The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) ...)
- - wget <unfixed> (unimportant)
+ - wget 1.13-1 (unimportant)
NOTE: An FTP server crashing a download utility is a bug, but not a DoS security issue
+ NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=bd7f4ef701ce5db64659db496d3f47aeedfadac2 (v1.13)
CVE-2006-6718 (The Allied Telesis AT-9000/24 Ethernet switch has a default password ...)
NOT-FOR-US: Allied Telesis
CVE-2006-6717 (The Allied Telesis AT-9000/24 Ethernet switch accepts management ...)
--
2.9.3
Reply to: