Re: [SECURITY] [DSA 3062-1] wget security update
Sent from my iPhone
> On Nov 2, 2014, at 1:06 PM, Luciano Bello <luciano@debian.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3062-1 security@debian.org
> http://www.debian.org/security/ Luciano Bello
> November 01, 2014 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : wget
> CVE ID : CVE-2014-4877
> Debian Bug : 766981
>
> HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line
> utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability
> allows to create arbitrary files on the user's system when Wget runs in
> recursive mode against a malicious FTP server. Arbitrary file creation
> may override content of user's files or permit remote code execution with
> the user privilege.
>
> This update changes the default setting in Wget such that it no longer
> creates local symbolic links, but rather traverses them and retrieves the
> pointed-to file in such a retrieval.
>
> For the stable distribution (wheezy), this problem has been fixed in
> version 1.13.4-3+deb7u2.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 1.16-1.
>
> We recommend that you upgrade your wget packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1
> tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+
> uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu
> 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+
> 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX
> Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ
> bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK
> ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW
> 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG
> t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc
> 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins
> 0sYvWVBAefAMZH6eAnuy
> =bD/d
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/3051189.XDyDVgVXoy@box
>
Reply to: