UbuntuUpdates.org

Package "wget"

Name: wget

Description:

retrieves files from the web

Latest version: 1.21.2-2ubuntu1.3
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://www.gnu.org/software/wget/

Links


Download "wget"


Other versions of "wget" in Jammy

Repository Area Version
base main 1.21.2-2ubuntu1
updates main 1.21.2-2ubuntu1.3

Changelog

Version: 1.21.2-2ubuntu1.3 2026-07-15 15:31:36 UTC

  wget (1.21.2-2ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow in metalink.
    - debian/patches/CVE-2026-58469.patch: Fix buffer overflow in
      src/metalink.c
    - CVE-2026-58469
  * SECURITY UPDATE: Integer overflow in http
    - debian/patches/CVE-2026-58470.patch: Fix integer overflow in src/http.c
    - CVE-2026-58470
  * SECURITY UPDATE: Buffer overflow in convert_fname.
    - debian/patches/CVE-2026-58471.patch: Fix buffer overflow in src/url.c
    - CVE-2026-58471
  * SECURITY UPDATE: Integer and buffer overflow in html_quote_string.
    - debian/patches/CVE-2026-58472.patch: Fix integer+buffer overflow in
      src/convert.c
    - CVE-2026-58472

 -- Kyle Kernick <email address hidden> Fri, 10 Jul 2026 16:04:53 -0600

Source diff to previous version
CVE-2026-58469 GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/m
CVE-2026-58470 GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c
CVE-2026-58471 GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that
CVE-2026-58472 GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c

Version: 1.21.2-2ubuntu1.1 2024-06-26 17:07:21 UTC

  wget (1.21.2-2ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: mishandling of semicolons in userinfo
    - debian/patches/CVE-2024-38428.patch: properly re-implement userinfo
      parsing in src/url.c.
    - CVE-2024-38428

 -- Marc Deslauriers <email address hidden> Wed, 19 Jun 2024 08:15:59 -0400

CVE-2024-38428 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data t



About   -   Send Feedback to @ubuntu_updates