CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
Upstream patch: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
commit ae9ba23240bc2dda1b90887732451801b96117f1 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Mar 11 20:43:33 2017 net-misc/wget: Security revbump to fix CRLF injection (bug #612326). Package-Manager: Portage-2.3.4, Repoman-2.3.2 Arches please test and mark stable =net-misc/wget-1.19.1-r1 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
arm ppc ppc64 stable.
arm64 stable w/ following additions =dev-perl/HTTP-Message-6.110.0 =virtual/perl-IO-Compress-2.68.1_rc =virtual/perl-Compress-Raw-Bzip2-2.68.0-r1 =virtual/perl-IO-1.350.100_rc =virtual/perl-Compress-Raw-Zlib-2.68.0-r1 =dev-perl/URI-1.710.0 =dev-perl/IO-HTML-1.1.0
amd64 stable
Please note, net-misc/wget-1.19.1-r1 has linking issue with USE=idn, see bug #612498.
Stable for HPPA.
sparc stable
CVE-2017-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6508): CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
alpha stable
ia64 stable
x86 stable. Maintainer(s), please cleanup.
New GLSA request filed.
Cleanup PR: https://github.com/gentoo/gentoo/pull/4954
This issue was resolved and addressed in GLSA 201706-16 at https://security.gentoo.org/glsa/201706-16 by GLSA coordinator Kristian Fiskerstrand (K_F).
Repoen for cleanup
Repository is clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c6e0d3c61d35a6669b0091f4548fb199250eb7), all done.
