Summary: | net-misc/wget: Authorisation header disclosure on redirect (CVE-2021-31879) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [upstream?] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2021-04-29 19:08:26 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05f98b2284e04f5078b8b38238d6688f9c76414b commit 05f98b2284e04f5078b8b38238d6688f9c76414b Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-04-29 19:40:38 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-04-29 19:41:01 +0000 dev-util/samurai: Security revbump to fix mull pointer dereference Removed old Bug: https://bugs.gentoo.org/786957 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> .../files/samurai-1.2-null_pointer_fix.patch | 26 ++++++++++++++++++++++ .../{samurai-1.2.ebuild => samurai-1.2-r1.ebuild} | 4 ++++ 2 files changed, 30 insertions(+) Sorry, wrong bug referenced :-( Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. https://github.com/flatcar-linux/portage-stable/commit/aecbf049b7776a38fd5ae55a06a779b58134e323 seems to indicate it was fixed in 1.21.2 but I don't see another source for this yet. I don't see a reference upstream. Thanks, you are right. CVE-2021-31879 is indeed not fixed, according to https://savannah.gnu.org/bugs/?56909 . We will continue following the issue in the future, and try to address correctly when there is news from the upstream wget. |