Mailinglist Archive: opensuse-security (24 mails)

< Previous Next >
Re: [opensuse-security] Bug in wget: CVE-2014-4877
Hi,

we already started an update for SLE. We will release it as soon as
possible based on impact and relative to other running issues.

The openSUSE community is happy about every helping hand... so if you
want to learn something about packaging and the build-service, feel free.

Bye,
Thomas


On 10/30/2014 10:20 AM, Sverre Moe wrote:
A new version of wget is out, 1.16

http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
* Noteworthy changes in Wget 1.16
** No longer create local symbolic links by default. Closes CVE-2014-4877.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

OpenSUSE 13.1 uses wget-1.14
Last changes: Thu May 2 17:50:50 UTC 2013
https://build.opensuse.org/package/show/openSUSE:13.1/wget

OpenSUSE 13.2 uses wget-1.15
Last changes: Sun Jan 19 22:02:25 UTC 2014
https://build.opensuse.org/package/show/openSUSE:13.2/wget

When will we see a fix for wget on OpenSUSE?
I also use some SLES and have not seen any indication that SUSE is on
this either.



--
Thomas Biege <thomas@xxxxxxx>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer
HRB 21284 (AG N├╝rnberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach

< Previous Next >
List Navigation
References