From ${URL} : User's IP address is exposed to the FTP server when automatically falling back from passive mode to active mode using PORT command. Wget is using normally passive mode, but this situation occurs when server rejects the PASV command. The real IP address is exposed even if client uses proxy server. Affected versions are <= 1.16.3. CVE request: http://seclists.org/oss-sec/2015/q3/516 Upstream patch: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
added upstream patch in 1.16.3-r1. should be fine for stable. http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed1e5984dd18412d94ee20624acbdfa10c3f994a
Arches, please test and mark stable: =net-misc/wget-1.16.3-r1 Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
Stable for HPPA PPC64.
Stable on alpha.
ppc stable
arm stable
sparc stable
New GLSA request filed.
This issue was resolved and addressed in GLSA 201610-11 at https://security.gentoo.org/glsa/201610-11 by GLSA coordinator Kristian Fiskerstrand (K_F).
