1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3062-1] wget security update

    From Luciano Bello@1:229/2 to All on Sun Nov 2 22:10:02 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3062-1 [email protected] http://www.debian.org/security/ Luciano Bello November 01, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : wget
    CVE ID : CVE-2014-4877
    Debian Bug : 766981

    HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line
    utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability
    allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation
    may override content of user's files or permit remote code execution with
    the user privilege.

    This update changes the default setting in Wget such that it no longer
    creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval.

    For the stable distribution (wheezy), this problem has been fixed in
    version 1.13.4-3+deb7u2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.16-1.

    We recommend that you upgrade your wget packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1 tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+ uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+ 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins 0sYvWVBAefAMZH6eAnuy
    =bD/d
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/3051189.XDyDVgVXoy@box

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Louis Kowolowski@1:229/2 to All on Sun Nov 2 23:00:01 2014
    XPost: linux.debian.security
    From: [email protected]

    Sent from my iPhone

    On Nov 2, 2014, at 1:06 PM, Luciano Bello <[email protected]> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3062-1 [email protected] http://www.debian.org/security/ Luciano Bello November 01, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : wget
    CVE ID : CVE-2014-4877
    Debian Bug : 766981

    HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability
    allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation
    may override content of user's files or permit remote code execution with the user privilege.

    This update changes the default setting in Wget such that it no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval.

    For the stable distribution (wheezy), this problem has been fixed in
    version 1.13.4-3+deb7u2.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.16-1.

    We recommend that you upgrade your wget packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1 tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+ uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+ 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins 0sYvWVBAefAMZH6eAnuy
    =bD/d
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/3051189.XDyDVgVXoy@box



    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)