SECURITY: wget

SECURITY: wget

[Yaakov (Cygwin/X)]

[-- Attachment #1: Type: text/plain, Size: 224 bytes --]

Eric,

wget-1.12 is vulnerable to CVE-2010-2252; please update to the latest
upstream release (1.13.4) to fix.  While you're at it, may I suggest
adding the attached patch to fix the documented location of wgetrc.


Yaakov


[-- Attachment #2: 1.13.4-sysconfdir.patch --]
[-- Type: text/x-patch, Size: 2411 bytes --]

--- origsrc/wget-1.13.4/doc/sample.wgetrc	2011-01-01 06:12:33.000000000 -0600
+++ src/wget-1.13.4/doc/sample.wgetrc	2011-10-15 23:11:23.836908900 -0500
@@ -7,7 +7,7 @@
 ## not contain a comprehensive list of commands -- look at the manual
 ## to find out what you can put into this file.
 ##
-## Wget initialization file can reside in /usr/local/etc/wgetrc
+## Wget initialization file can reside in /etc/wgetrc
 ## (global, for all users) or $HOME/.wgetrc (for a single user).
 ##
 ## To use the settings in this file, you will have to uncomment them,
@@ -16,7 +16,7 @@
 
 
 ##
-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
+## Global settings (useful for setting up in /etc/wgetrc).
 ## Think well before you change them, since they may reduce wget's
 ## functionality, and make it behave contrary to the documentation:
 ##
--- origsrc/wget-1.13.4/doc/wget.texi	2011-08-06 05:22:58.000000000 -0500
+++ src/wget-1.13.4/doc/wget.texi	2011-10-15 23:11:00.686468500 -0500
@@ -190,14 +190,14 @@ gauge can be customized to your preferen
 Most of the features are fully configurable, either through command line
 options, or via the initialization file @file{.wgetrc} (@pxref{Startup
 File}).  Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
+(@file{/etc/wgetrc} by default) for site settings. You can also
 specify the location of a startup file with the --config option.
  
 
 @ignore
 @c man begin FILES
 @table @samp
-@item /usr/local/etc/wgetrc
+@item /etc/wgetrc
 Default location of the @dfn{global} startup file.
 
 @item .wgetrc
@@ -2696,7 +2696,7 @@ commands.
 @cindex location of wgetrc
 
 When initializing, Wget will look for a @dfn{global} startup file,
-@file{/usr/local/etc/wgetrc} by default (or some prefix other than
+@file{/etc/wgetrc} by default (or some prefix other than
 @file{/usr/local}, if Wget was not installed there) and read commands
 from there, if it exists.
 
@@ -2708,7 +2708,7 @@ If @code{WGETRC} is not set, Wget will t
 
 The fact that user's settings are loaded after the system-wide ones
 means that in case of collision user's wgetrc @emph{overrides} the
-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
+system-wide wgetrc (in @file{/etc/wgetrc} by default).
 Fascist admins, away!
 
 @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File

Re: SECURITY: wget

[Eric Blake]

On 10/16/2011 12:04 PM, Yaakov (Cygwin/X) wrote:
> Eric,
>
> wget-1.12 is vulnerable to CVE-2010-2252; please update to the latest
> upstream release (1.13.4) to fix.  While you're at it, may I suggest
> adding the attached patch to fix the documented location of wgetrc.

Thanks for the heads-up.

-- 
Eric Blake   eblake@redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org