UbuntuUpdates.org

Package "wget"

Name: wget

Description:

retrieves files from the web

Latest version: 1.15-1ubuntu1.14.04.5
Release: trusty (14.04)
Level: updates
Repository: main
Homepage: http://www.gnu.org/software/wget/

Links


Download "wget"


Other versions of "wget" in Trusty

Repository Area Version
base main 1.15-1ubuntu1
security main 1.15-1ubuntu1.14.04.5

Changelog

Version: 1.15-1ubuntu1.14.04.5 2019-04-09 14:06:21 UTC

  wget (1.15-1ubuntu1.14.04.5) trusty-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2019-5953-*.patch: fix in
      src/iri.c.
    - CVE-2019-5953

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 08 Apr 2019 16:28:33 -0300

Source diff to previous version
CVE-2019-5953 Buffer overflow vulnerability

Version: 1.15-1ubuntu1.14.04.4 2018-05-09 16:07:28 UTC

  wget (1.15-1ubuntu1.14.04.4) trusty-security; urgency=medium

  * SECURITY UPDATE: Cookie injection vulnerability
    - debian/patches/CVE-2018-0494.patch: fix cooking injection
      in src/http.c.
    - CVE-2018-0494

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 08 May 2018 13:59:12 -0300

Source diff to previous version
CVE-2018-0494 GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.

Version: 1.15-1ubuntu1.14.04.3 2017-10-26 21:06:38 UTC

  wget (1.15-1ubuntu1.14.04.3) trusty-security; urgency=medium

  * SECURITY UPDATE: race condition leading to access list bypass
    - debian/patches/CVE-2016-7098-1.patch: limit file mode in src/http.c.
    - debian/patches/CVE-2016-7098-2.patch: add .tmp to temp files in
      src/http.c.
    - debian/patches/CVE-2016-7098-3.patch: replace asprintf by aprint in
      src/http.c.
    - CVE-2016-7098
  * SECURITY UPDATE: CRLF injection in url_parse
    - debian/patches/CVE-2017-6508.patch: check for invalid control
      characters in src/url.c.
    - CVE-2017-6508
  * SECURITY UPDATE: stack overflow in HTTP protocol handling
    - debian/patches/CVE-2017-13089.patch: return error on negative chunk
      size in src/http.c.
    - CVE-2017-13089
  * SECURITY UPDATE: heap overflow in HTTP protocol handling
    - debian/patches/CVE-2017-13090.patch: stop processing on negative
      chunk size in src/retr.c.
    - CVE-2017-13090

 -- Marc Deslauriers <email address hidden> Mon, 23 Oct 2017 15:39:58 -0400

Source diff to previous version
CVE-2016-7098 Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass int
CVE-2017-6508 CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via C

Version: 1.15-1ubuntu1.14.04.2 2016-06-20 20:06:32 UTC

  wget (1.15-1ubuntu1.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: http to ftp redirect spoofed filenames
    - debian/patches/CVE-2016-4971.patch: understand --trust-server-names
      on a HTTP->FTP redirect in src/ftp.*, src/retr.c.
    - CVE-2016-4971

 -- Marc Deslauriers <email address hidden> Tue, 14 Jun 2016 10:50:13 +0300

Source diff to previous version

Version: 1.15-1ubuntu1.14.04.1 2014-10-30 19:06:51 UTC

  wget (1.15-1ubuntu1.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: remote code execution via absolute path traversal
    vulnerability in FTP
    - debian/patches/CVE-2014-4877.patch: don't create local symlinks in
      src/init.c, check for duplicate file nodes in src/ftp.c, updated
      documentation in doc/wget.texi.
    - CVE-2014-4877
 -- Marc Deslauriers <email address hidden> Thu, 30 Oct 2014 10:02:13 -0400

CVE-2014-4877 wget: FTP symlink arbitrary filesystem access



About   -   Send Feedback to @ubuntu_updates