Opened 10 years ago

Closed 10 years ago

#45714 closed defect (fixed)

wget: CVE-2014-4877

Reported by: neverpanic (Clemens Lang) Owned by: ryandesign (Ryan Carsten Schmidt)
Priority: High Milestone:
Component: ports Version: 2.3.2
Keywords: security Cc:
Port: wget

Description

Wget until version 1.16 has a absolute path traversal vulnerability that allows rogue FTP servers to write arbitrary files and thus execute arbitrary commands.

See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877.

It doesn't seem like upstream released a fixed version yet, but Ubuntu has a patch in debian/patches/CVE-2014-4877.patch in http://archive.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.15-1ubuntu1.14.04.1.debian.tar.gz.

Change History (2)

comment:1 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)

The CVE and the debian bug report say wget version 1.16 fixes the problem; the port is already updated to that version. Is there anything else I need to do?

comment:2 Changed 10 years ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.