Re: [SECURITY] [DSA 3062-1] wget security update

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Cc: "debian-security-announce@lists.debian.org" <debian-security-announce@lists.debian.org>
Subject: Re: [SECURITY] [DSA 3062-1] wget security update
From: Louis Kowolowski <louis.kowolowski@silentcircle-llc.com>
Date: Sun, 2 Nov 2014 13:29:51 -0800
Message-id: <[🔎] E6293E41-9F45-46E8-8E11-1ED90AA261DF@silentcircle-llc.com>
In-reply-to: <3051189.XDyDVgVXoy@box>
References: <3051189.XDyDVgVXoy@box>


Sent from my iPhone

> On Nov 2, 2014, at 1:06 PM, Luciano Bello <luciano@debian.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3062-1                   security@debian.org
> http://www.debian.org/security/                             Luciano Bello
> November 01, 2014                      http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : wget
> CVE ID         : CVE-2014-4877
> Debian Bug     : 766981
> 
> HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line 
> utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability 
> allows to create arbitrary files on the user's system when Wget runs in 
> recursive mode against a malicious FTP server. Arbitrary file creation 
> may override content of user's files or permit remote code execution with 
> the user privilege. 
> 
> This update changes the default setting in Wget such that it no longer 
> creates local symbolic links, but rather traverses them and retrieves the 
> pointed-to file in such a retrieval.
> 
> For the stable distribution (wheezy), this problem has been fixed in
> version 1.13.4-3+deb7u2.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 1.16-1.
> 
> We recommend that you upgrade your wget packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1
> tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+
> uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu
> 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+
> 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX
> Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ
> bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK
> ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW
> 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG
> t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc
> 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins
> 0sYvWVBAefAMZH6eAnuy
> =bD/d
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/3051189.XDyDVgVXoy@box
>

Reply to:

Prev by Date: Re: streql - Constant-time string comparison
Next by Date: Re: streql - Constant-time string comparison
Previous by thread: Re: [SECURITY] [DSA 3061-1] icedove security update
Next by thread: Re: [SECURITY] [DSA 3064-1] php5 security update
Index(es):
- Date
- Thread