Bug in wget: CVE-2014-4877

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug in wget: CVE-2014-4877

Sverre Moe
A new version of wget is out, 1.16

http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
* Noteworthy changes in Wget 1.16
** No longer create local symbolic links by default. Closes CVE-2014-4877.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

OpenSUSE 13.1 uses wget-1.14
Last changes: Thu May 2 17:50:50 UTC 2013
https://build.opensuse.org/package/show/openSUSE:13.1/wget

OpenSUSE 13.2 uses wget-1.15
Last changes: Sun Jan 19 22:02:25 UTC 2014
https://build.opensuse.org/package/show/openSUSE:13.2/wget

When will we see a fix for wget on OpenSUSE?
I also use some SLES and have not seen any indication that SUSE is on
this either.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bug in wget: CVE-2014-4877

Thomas Biege
Hi,

we already started an update for SLE. We will release it as soon as
possible based on impact and relative to other running issues.

The openSUSE community is happy about every helping hand... so if you
want to learn something about packaging and the build-service, feel free.

Bye,
Thomas


On 10/30/2014 10:20 AM, Sverre Moe wrote:

> A new version of wget is out, 1.16
>
> http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
> * Noteworthy changes in Wget 1.16
> ** No longer create local symbolic links by default. Closes CVE-2014-4877.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877
>
> https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
>
> OpenSUSE 13.1 uses wget-1.14
> Last changes: Thu May 2 17:50:50 UTC 2013
> https://build.opensuse.org/package/show/openSUSE:13.1/wget
>
> OpenSUSE 13.2 uses wget-1.15
> Last changes: Sun Jan 19 22:02:25 UTC 2014
> https://build.opensuse.org/package/show/openSUSE:13.2/wget
>
> When will we see a fix for wget on OpenSUSE?
> I also use some SLES and have not seen any indication that SUSE is on
> this either.
>

--
Thomas Biege <[hidden email]>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach


signature.asc (550 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug in wget: CVE-2014-4877

Victor Pereira
In reply to this post by Sverre Moe
Hi,

yes, we are tracking it here:
https://bugzilla.suse.com/show_bug.cgi?id=902709

thank you

Victor Pereira


On 10/30/2014 09:20 AM, Sverre Moe wrote:

> A new version of wget is out, 1.16
>
> http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
> * Noteworthy changes in Wget 1.16
> ** No longer create local symbolic links by default. Closes CVE-2014-4877.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877
>
> https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
>
> OpenSUSE 13.1 uses wget-1.14
> Last changes: Thu May 2 17:50:50 UTC 2013
> https://build.opensuse.org/package/show/openSUSE:13.1/wget
>
> OpenSUSE 13.2 uses wget-1.15
> Last changes: Sun Jan 19 22:02:25 UTC 2014
> https://build.opensuse.org/package/show/openSUSE:13.2/wget
>
> When will we see a fix for wget on OpenSUSE?
> I also use some SLES and have not seen any indication that SUSE is on
> this either.

--
Victor Pereira
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]