On Thursday 05 January 2012 22:17:47 Volker Kuhlmann wrote: > Reading the CVE description gives me the impression that the security > problem only exists if one was silly enough to allow overwriting > existing files
not really. there are plenty of files which often don't exist but get automatically sourced like ~/.bash_logout or ~/.profile. or if people are mirroring a website with -nc. there are plenty of ways that this is wrong. > create/change ~/.wgetrc, allow creating files in places > other than below the current directory or with ../ in the path, or dot > files in the home directory. That shouldn't be difficult to test for. arbitrary blacklisting causes more problems than it's worth > There is no option --trust-server-names. upgrade your wget then -mike
signature.asc
Description: This is a digitally signed message part.
