Re: wget CVE-2006-6719 fixed since some years

To: Noël Köthe <noel@debian.org>, debian-security-tracker@lists.debian.org
Subject: Re: wget CVE-2006-6719 fixed since some years
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Oct 2016 13:48:48 +0200
Message-id: <[🔎] 20161004114848.GB25865@lorien.valinor.li>
Mail-followup-to: Noël Köthe <noel@debian.org>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 20161004114044.GA25865@lorien.valinor.li>
References: <[🔎] 1475580353.7327.7.camel@debian.org> <[🔎] 20161004114044.GA25865@lorien.valinor.li>

Hi!

On Tue, Oct 04, 2016 at 01:40:44PM +0200, Salvatore Bonaccorso wrote:
> Hi Noel,
> 
> On Tue, Oct 04, 2016 at 01:25:53PM +0200, Noël Köthe wrote:
> > Hello,
> > 
> > https://security-tracker.debian.org/tracker/source-package/wget ;
> > lists CVE-2006-6719 and I checked if the patch is already included in
> > the Debian package.
> > 
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=bd7f4ef701ce5db64659db496d3f47aeedfadac2
> > is the included upstream patch but not marked with CVE by upstream.:(
> > 
> > The patch is included in wget Debian in oldstable 1.13.4.3-(If needed I
> > can check since which version it got added).
> 
> Can you determine which version which entered back then unstable did
> contain the fix? We want to be as exact as possible regarding the
> fixing version).
> 
> > The security-tracker should show it as "Resolced issue".
> 
> Sure, as soon we have the fixing version, thanks a lot for
> investigating and pinging.

Ok I think I got it. I commited attached changes for the
security-tracker.

Regards,
Salvatore

>From a32082a596358d3ab45a660af02b462ada1dc621 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Oct 2016 13:47:45 +0200
Subject: [PATCH] Add information for CVE-2016-6719 an old wget issue

---
 data/CVE/list | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/CVE/list b/data/CVE/list
index 421d01f..07defc0 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -190929,8 +190929,9 @@ CVE-2006-6721 (Multiple cross-site scripting (XSS) vulnerabilities in shout.php
 CVE-2006-6720 (PHP remote file inclusion vulnerability in admin/index_sitios.php in ...)
 	NOT-FOR-US: Azucar CMS
 CVE-2006-6719 (The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) ...)
-	- wget <unfixed> (unimportant)
+	- wget 1.13-1 (unimportant)
 	NOTE: An FTP server crashing a download utility is a bug, but not a DoS security issue
+	NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=bd7f4ef701ce5db64659db496d3f47aeedfadac2 (v1.13)
 CVE-2006-6718 (The Allied Telesis AT-9000/24 Ethernet switch has a default password ...)
 	NOT-FOR-US: Allied Telesis
 CVE-2006-6717 (The Allied Telesis AT-9000/24 Ethernet switch accepts management ...)
-- 
2.9.3

Reply to:

References:
- wget CVE-2006-6719 fixed since some years
  - From: Noël Köthe <noel@debian.org>
- Re: wget CVE-2006-6719 fixed since some years
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: wget CVE-2006-6719 fixed since some years
Next by Date: External check
Previous by thread: Re: wget CVE-2006-6719 fixed since some years
Next by thread: Solicitud de Información
Index(es):
- Date
- Thread