Summary: | <net-misc/wget-1.19.1-r1: CRLF injection in the url_parse function in url.c (CVE-2017-6508) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=net-misc/wget-1.19.1-r1
|
Runtime testing required: | --- |
Bug Depends on: | 609244, 612376 | ||
Bug Blocks: | 612498 |
Description
Thomas Deutschmann (RETIRED)
2017-03-11 16:03:52 UTC
Upstream patch: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 commit ae9ba23240bc2dda1b90887732451801b96117f1 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Mar 11 20:43:33 2017 net-misc/wget: Security revbump to fix CRLF injection (bug #612326). Package-Manager: Portage-2.3.4, Repoman-2.3.2 Arches please test and mark stable =net-misc/wget-1.19.1-r1 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris arm ppc ppc64 stable. arm64 stable w/ following additions =dev-perl/HTTP-Message-6.110.0 =virtual/perl-IO-Compress-2.68.1_rc =virtual/perl-Compress-Raw-Bzip2-2.68.0-r1 =virtual/perl-IO-1.350.100_rc =virtual/perl-Compress-Raw-Zlib-2.68.0-r1 =dev-perl/URI-1.710.0 =dev-perl/IO-HTML-1.1.0 amd64 stable Please note, net-misc/wget-1.19.1-r1 has linking issue with USE=idn, see bug #612498. Stable for HPPA. sparc stable CVE-2017-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6508): CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL. alpha stable ia64 stable x86 stable. Maintainer(s), please cleanup. New GLSA request filed. Cleanup PR: https://github.com/gentoo/gentoo/pull/4954 This issue was resolved and addressed in GLSA 201706-16 at https://security.gentoo.org/glsa/201706-16 by GLSA coordinator Kristian Fiskerstrand (K_F). Repoen for cleanup Repository is clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c6e0d3c61d35a6669b0091f4548fb199250eb7), all done. |