Summary: | <net-misc/wget-1.18: Lack of filename checking allows arbitrary file upload via FTP redirect (CVE-2016-4971) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=329941 https://bugzilla.redhat.com/show_bug.cgi?id=1343666 |
||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() i added 1.18 last nite. should be fine for stable. Stable on alpha. @arches, please stabilize: =net-misc/wget-1.18 Stable for PPC64. Stable for HPPA. arm stable amd64 stable x86 stable CVE-2016-4971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4971): GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Added to existing GLSA. ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s). Version: 1.17.1-r1 : 0 This issue was resolved and addressed in GLSA 201610-11 at https://security.gentoo.org/glsa/201610-11 by GLSA coordinator Kristian Fiskerstrand (K_F). Reopening for Cleanup - Version wget-1.17.1-r1 still in tree. commit 98185b2fdd2323a4242c46a396174e9eb5409b17 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Oct 31 08:11:21 2016 net-misc/wget: Removed vulnerable version. Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Thanks! |