Opened 10 years ago
Closed 10 years ago
#45714 closed defect (fixed)
wget: CVE-2014-4877
| Reported by: | neverpanic (Clemens Lang) | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | ports | Version: | 2.3.2 |
| Keywords: | security | Cc: | |
| Port: | wget |
Description
Wget until version 1.16 has a absolute path traversal vulnerability that allows rogue FTP servers to write arbitrary files and thus execute arbitrary commands.
See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877.
It doesn't seem like upstream released a fixed version yet, but Ubuntu has a patch in debian/patches/CVE-2014-4877.patch in http://archive.ubuntu.com/ubuntu/pool/main/w/wget/wget_1.15-1ubuntu1.14.04.1.debian.tar.gz.
Change History (2)
comment:1 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
comment:2 Changed 10 years ago by neverpanic (Clemens Lang)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
You're right: http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html. Sorry for the noise.
Note: See
TracTickets for help on using
tickets.
The CVE and the debian bug report say wget version 1.16 fixes the problem; the port is already updated to that version. Is there anything else I need to do?