| Summary: | <net-misc/wget-1.16.3-r1: IP address exposure via FTP PORT command | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099 | ||
| See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1260921 | ||
| Whiteboard: | A4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
added upstream patch in 1.16.3-r1. should be fine for stable. http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed1e5984dd18412d94ee20624acbdfa10c3f994a Arches, please test and mark stable: =net-misc/wget-1.16.3-r1 Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable Stable for HPPA PPC64. Stable on alpha. ppc stable arm stable sparc stable New GLSA request filed. This issue was resolved and addressed in GLSA 201610-11 at https://security.gentoo.org/glsa/201610-11 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : User's IP address is exposed to the FTP server when automatically falling back from passive mode to active mode using PORT command. Wget is using normally passive mode, but this situation occurs when server rejects the PASV command. The real IP address is exposed even if client uses proxy server. Affected versions are <= 1.16.3. CVE request: http://seclists.org/oss-sec/2015/q3/516 Upstream patch: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.