From the Changelog: ** SECURITY FIX: It had been possible to trick Wget into accepting SSL certificates that don't match the host name, through the trick of embedding NUL characters into the certs' common name. Fixed by Joao Ferreira <joao <at> joaoff.com>. This issue is related to CVE-2009-2408 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408).
wget-1.12 now in the tree
erp, didnt mean to close the bug
Created attachment 205034 [details, diff] wget-1.12.ebuild.diff wget-1.12 makes use of libidn when being found in the system and not explicitly disabled through configure: # ldd /usr/bin/wget | grep idn libidn.so.11 => /usr/lib/libidn.so.11 (0x00007f2b11074000) Please find attached an ebuild patch which incorporates the idn USE flag... By the way, is the linking patch no longer necessary or was it dropped because it doesn't apply anymore? If the latter is true, I created a new linking patch for wget-1.12. Just let me know if you want that patch.
thanks, that looks good to me
CVE-2009-3490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3490): GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Arches, please test and mark stable: =net-misc/wget-1.12 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable
ppc stable
ppc64 done
GLSA 200910-10