UbuntuUpdates.org

Package "wget"

Name: wget

Description:

retrieves files from the web
Latest version: 1.17.1-1ubuntu1.5
Release: xenial (16.04)
Level: security
Repository: main
Homepage: https://www.gnu.org/software/wget/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "wget"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "wget" in Xenial

Repository Area Version
base main 1.17.1-1ubuntu1
updates main 1.17.1-1ubuntu1.5

Changelog

Version: 1.17.1-1ubuntu1.5 2019-04-10 18:07:19 UTC

  wget (1.17.1-1ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2019-5953-*.patch: fix in
      src/iri.c.
    - CVE-2019-5953

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 08 Apr 2019 16:13:54 -0300
Source diff to previous version
CVE-2019-5953 Buffer overflow vulnerability

Version: 1.17.1-1ubuntu1.4 2018-05-09 15:07:12 UTC

  wget (1.17.1-1ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Cookie injection vulnerability
    - debian/patches/CVE-2018-0494.patch: fix cooking injection
      in src/http.c.
    - CVE-2018-0494

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 08 May 2018 14:00:12 -0300
Source diff to previous version
CVE-2018-0494 GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.

Version: 1.17.1-1ubuntu1.3 2017-10-26 18:06:37 UTC

  wget (1.17.1-1ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: race condition leading to access list bypass
    - debian/patches/CVE-2016-7098-1.patch: limit file mode in src/http.c.
    - debian/patches/CVE-2016-7098-2.patch: add .tmp to temp files in
      src/http.c.
    - debian/patches/CVE-2016-7098-3.patch: replace asprintf by aprint in
      src/http.c.
    - CVE-2016-7098
  * SECURITY UPDATE: CRLF injection in url_parse
    - debian/patches/CVE-2017-6508.patch: check for invalid control
      characters in src/url.c.
    - CVE-2017-6508
  * SECURITY UPDATE: stack overflow in HTTP protocol handling
    - debian/patches/CVE-2017-13089.patch: return error on negative chunk
      size in src/http.c.
    - CVE-2017-13089
  * SECURITY UPDATE: heap overflow in HTTP protocol handling
    - debian/patches/CVE-2017-13090.patch: stop processing on negative
      chunk size in src/retr.c.
    - CVE-2017-13090

 -- Marc Deslauriers <email address hidden> Mon, 23 Oct 2017 15:36:01 -0400
Source diff to previous version
CVE-2016-7098 Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass int
CVE-2017-6508 CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via C

Version: 1.17.1-1ubuntu1.1 2016-06-20 18:06:57 UTC

  wget (1.17.1-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: http to ftp redirect spoofed filenames
    - debian/patches/CVE-2016-4971.patch: understand --trust-server-names
      on a HTTP->FTP redirect in src/ftp.*, src/retr.c.
    - CVE-2016-4971

 -- Marc Deslauriers <email address hidden> Tue, 14 Jun 2016 10:36:24 +0300


About   -   Send Feedback to @ubuntu_updates