Re: [opensuse-security] Bug in wget: CVE-2014-4877

Hi, we already started an update for SLE. We will release it as soon as possible based on impact and relative to other running issues. The openSUSE community is happy about every helping hand... so if you want to learn something about packaging and the build-service, feel free. Bye, Thomas On 10/30/2014 10:20 AM, Sverre Moe wrote:

A new version of wget is out, 1.16

http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html * Noteworthy changes in Wget 1.16 ** No longer create local symbolic links by default. Closes CVE-2014-4877.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15...

OpenSUSE 13.1 uses wget-1.14 Last changes: Thu May 2 17:50:50 UTC 2013 https://build.opensuse.org/package/show/openSUSE:13.1/wget

OpenSUSE 13.2 uses wget-1.15 Last changes: Sun Jan 19 22:02:25 UTC 2014 https://build.opensuse.org/package/show/openSUSE:13.2/wget

When will we see a fix for wget on OpenSUSE? I also use some SLES and have not seen any indication that SUSE is on this either.

-- Thomas Biege , Team Leader MaintenanceSecurity, CSSLP SUSE LINUX Products GmbH GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 21284 (AG Nürnberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach