wget stores download URLs (and included in them potentially HTTP authentication passwords) in its extended attributes. Upstream 1.20.1 disables this behavior by default and adds some safeguards, see: https://lists.gnu.org/archive/html/bug-wget/2018-12/msg00034.html It's already in the tree, I suggest stabilizing 1.20.1 asap.
x86 stable
sparc stable
ppc stable
ppc64 stable
commit db55a059572de84d5bb25032009711b652f2d527 Author: Jeroen Roovers <jer@gentoo.org> Date: Mon Dec 31 18:00:32 2018 +0100 net-misc/wget: Stable for HPPA too.
ia64 stable
amd64 stable
arm64 stable
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201903-08 at https://security.gentoo.org/glsa/201903-08 by GLSA coordinator Aaron Bauman (b-man).