Mailinglist Archive: opensuse-security (24 mails)

< Previous Next >
Re: [opensuse-security] Bug in wget: CVE-2014-4877
Hi,

yes, we are tracking it here:
https://bugzilla.suse.com/show_bug.cgi?id=902709

thank you

Victor Pereira


On 10/30/2014 09:20 AM, Sverre Moe wrote:
A new version of wget is out, 1.16

http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
* Noteworthy changes in Wget 1.16
** No longer create local symbolic links by default. Closes CVE-2014-4877.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access

OpenSUSE 13.1 uses wget-1.14
Last changes: Thu May 2 17:50:50 UTC 2013
https://build.opensuse.org/package/show/openSUSE:13.1/wget

OpenSUSE 13.2 uses wget-1.15
Last changes: Sun Jan 19 22:02:25 UTC 2014
https://build.opensuse.org/package/show/openSUSE:13.2/wget

When will we see a fix for wget on OpenSUSE?
I also use some SLES and have not seen any indication that SUSE is on
this either.

--
Victor Pereira
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
References