From the Changelog:
** SECURITY FIX: It had been possible to trick Wget into accepting
SSL certificates that don't match the host name, through the trick of
embedding NUL characters into the certs' common name. Fixed by Joao
Ferreira <joao <at> joaoff.com>.
This issue is related to CVE-2009-2408 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408).
wget-1.12 now in the tree
erp, didnt mean to close the bug
Created attachment 205034 [details, diff]
wget-1.12 makes use of libidn when being found in the system and not explicitly disabled through configure:
# ldd /usr/bin/wget | grep idn
libidn.so.11 => /usr/lib/libidn.so.11 (0x00007f2b11074000)
Please find attached an ebuild patch which incorporates the idn USE flag...
By the way, is the linking patch no longer necessary or was it dropped because it doesn't apply anymore? If the latter is true, I created a new linking patch for wget-1.12. Just let me know if you want that patch.
thanks, that looks good to me
GNU Wget before 1.12 does not properly handle a '\0' character in a
domain name in the Common Name field of an X.509 certificate, which
allows man-in-the-middle remote attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.