[opensuse-security] Bug in wget: CVE-2014-4877
A new version of wget is out, 1.16 http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html * Noteworthy changes in Wget 1.16 ** No longer create local symbolic links by default. Closes CVE-2014-4877. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877 https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15... OpenSUSE 13.1 uses wget-1.14 Last changes: Thu May 2 17:50:50 UTC 2013 https://build.opensuse.org/package/show/openSUSE:13.1/wget OpenSUSE 13.2 uses wget-1.15 Last changes: Sun Jan 19 22:02:25 UTC 2014 https://build.opensuse.org/package/show/openSUSE:13.2/wget When will we see a fix for wget on OpenSUSE? I also use some SLES and have not seen any indication that SUSE is on this either. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, we already started an update for SLE. We will release it as soon as possible based on impact and relative to other running issues. The openSUSE community is happy about every helping hand... so if you want to learn something about packaging and the build-service, feel free. Bye, Thomas On 10/30/2014 10:20 AM, Sverre Moe wrote:
A new version of wget is out, 1.16
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html * Noteworthy changes in Wget 1.16 ** No longer create local symbolic links by default. Closes CVE-2014-4877.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15...
OpenSUSE 13.1 uses wget-1.14 Last changes: Thu May 2 17:50:50 UTC 2013 https://build.opensuse.org/package/show/openSUSE:13.1/wget
OpenSUSE 13.2 uses wget-1.15 Last changes: Sun Jan 19 22:02:25 UTC 2014 https://build.opensuse.org/package/show/openSUSE:13.2/wget
When will we see a fix for wget on OpenSUSE? I also use some SLES and have not seen any indication that SUSE is on this either.
-- Thomas Biege <thomas@suse.de>, Team Leader MaintenanceSecurity, CSSLP SUSE LINUX Products GmbH GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 21284 (AG Nürnberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Hi, yes, we are tracking it here: https://bugzilla.suse.com/show_bug.cgi?id=902709 thank you Victor Pereira On 10/30/2014 09:20 AM, Sverre Moe wrote:
A new version of wget is out, 1.16
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html * Noteworthy changes in Wget 1.16 ** No longer create local symbolic links by default. Closes CVE-2014-4877.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15...
OpenSUSE 13.1 uses wget-1.14 Last changes: Thu May 2 17:50:50 UTC 2013 https://build.opensuse.org/package/show/openSUSE:13.1/wget
OpenSUSE 13.2 uses wget-1.15 Last changes: Sun Jan 19 22:02:25 UTC 2014 https://build.opensuse.org/package/show/openSUSE:13.2/wget
When will we see a fix for wget on OpenSUSE? I also use some SLES and have not seen any indication that SUSE is on this either.
-- Victor Pereira SUSE LINUX Products GmbH GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Sverre Moe -
Thomas Biege -
Victor Pereira