From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29115 invoked by alias); 16 Oct 2011 18:04:43 -0000 Received: (qmail 29104 invoked by uid 22791); 16 Oct 2011 18:04:42 -0000 X-SWARE-Spam-Status: No, hits=-1.6 required=5.0 tests=AWL,BAYES_05,DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW X-Spam-Check-By: sourceware.org Received: from mail-vx0-f171.google.com (HELO mail-vx0-f171.google.com) (209.85.220.171) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 16 Oct 2011 18:04:25 +0000 Received: by vcbfk13 with SMTP id fk13so2660732vcb.2 for ; Sun, 16 Oct 2011 11:04:24 -0700 (PDT) Received: by 10.52.26.81 with SMTP id j17mr16635275vdg.101.1318788264800; Sun, 16 Oct 2011 11:04:24 -0700 (PDT) Received: from [192.168.0.100] (S0106000cf16f58b1.wp.shawcable.net. [24.79.200.150]) by mx.google.com with ESMTPS id be17sm14792126vdc.15.2011.10.16.11.04.23 (version=SSLv3 cipher=OTHER); Sun, 16 Oct 2011 11:04:24 -0700 (PDT) Subject: SECURITY: wget From: "Yaakov (Cygwin/X)" To: cygwin-apps Date: Sun, 16 Oct 2011 18:04:00 -0000 Content-Type: multipart/mixed; boundary="=-wrBE/OHbmPOn5GfNBwWs" Message-ID: <1318788264.7624.3.camel@YAAKOV04> Mime-Version: 1.0 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com X-SW-Source: 2011-10/txt/msg00039.txt.bz2 --=-wrBE/OHbmPOn5GfNBwWs Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Content-length: 224 Eric, wget-1.12 is vulnerable to CVE-2010-2252; please update to the latest upstream release (1.13.4) to fix. While you're at it, may I suggest adding the attached patch to fix the documented location of wgetrc. Yaakov --=-wrBE/OHbmPOn5GfNBwWs Content-Disposition: attachment; filename="1.13.4-sysconfdir.patch" Content-Type: text/x-patch; name="1.13.4-sysconfdir.patch"; charset="UTF-8" Content-Transfer-Encoding: 7bit Content-length: 2411 --- origsrc/wget-1.13.4/doc/sample.wgetrc 2011-01-01 06:12:33.000000000 -0600 +++ src/wget-1.13.4/doc/sample.wgetrc 2011-10-15 23:11:23.836908900 -0500 @@ -7,7 +7,7 @@ ## not contain a comprehensive list of commands -- look at the manual ## to find out what you can put into this file. ## -## Wget initialization file can reside in /usr/local/etc/wgetrc +## Wget initialization file can reside in /etc/wgetrc ## (global, for all users) or $HOME/.wgetrc (for a single user). ## ## To use the settings in this file, you will have to uncomment them, @@ -16,7 +16,7 @@ ## -## Global settings (useful for setting up in /usr/local/etc/wgetrc). +## Global settings (useful for setting up in /etc/wgetrc). ## Think well before you change them, since they may reduce wget's ## functionality, and make it behave contrary to the documentation: ## --- origsrc/wget-1.13.4/doc/wget.texi 2011-08-06 05:22:58.000000000 -0500 +++ src/wget-1.13.4/doc/wget.texi 2011-10-15 23:11:00.686468500 -0500 @@ -190,14 +190,14 @@ gauge can be customized to your preferen Most of the features are fully configurable, either through command line options, or via the initialization file @file{.wgetrc} (@pxref{Startup File}). Wget allows you to define @dfn{global} startup files -(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also +(@file{/etc/wgetrc} by default) for site settings. You can also specify the location of a startup file with the --config option. @ignore @c man begin FILES @table @samp -@item /usr/local/etc/wgetrc +@item /etc/wgetrc Default location of the @dfn{global} startup file. @item .wgetrc @@ -2696,7 +2696,7 @@ commands. @cindex location of wgetrc When initializing, Wget will look for a @dfn{global} startup file, -@file{/usr/local/etc/wgetrc} by default (or some prefix other than +@file{/etc/wgetrc} by default (or some prefix other than @file{/usr/local}, if Wget was not installed there) and read commands from there, if it exists. @@ -2708,7 +2708,7 @@ If @code{WGETRC} is not set, Wget will t The fact that user's settings are loaded after the system-wide ones means that in case of collision user's wgetrc @emph{overrides} the -system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). +system-wide wgetrc (in @file{/etc/wgetrc} by default). Fascist admins, away! @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File --=-wrBE/OHbmPOn5GfNBwWs--