Hello, We are pleased to announce the new version of GNU wget.
This version fixes a security vulnerability (CVE-2016-4971) present in all old versions of wget. The vulnerability was discovered by Dawid Golunski which were reported to us by Beyond Security's SecuriTeam. On a server redirect from HTTP to a FTP resource, wget would trust the HTTP server and uses the name in the redirected URL as the destination filename. This behaviour was changed and now it works similarly as a redirect from HTTP to another HTTP resource so the original name is used as the destination file. To keep the previous behaviour the user must provide --trust-server-names. The new version is available for download here: ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz and the GPG detached signatures using the key E163E1EA: ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz.sig ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz.sig To reduce load on the main server, you can use this redirector service which automatically redirects you to a mirror: http://ftpmirror.gnu.org/wget/wget-1.18.tar.gz http://ftpmirror.gnu.org/wget/wget-1.18.tar.xz Noteworthy changes: * By default, on server redirects to a FTP resource, use the original URL to get the local file name. Close CVE-2016-4971. This introduces a backward-incompatibility for HTTP->FTP redirects and any script that relies on the old behaviour must use --trust-server-names. * Check the HSTS file is not world-writable before using it. * Parse <img srcset> attributes on a recursive download. * Fix problem with SNI server names having trailing dot(s) * New options --bind-dns-address and --dns-servers. * When Wget is built with libiconv, it now converts non-ASCII URIs to the locale's codeset when it creates files. The encoding of the remote files and URIs is taken from --remote-encoding, defaulting to UTF-8. The result is that non-ASCII URIs and files downloaded via HTTP/HTTPS and FTP will have names on the local filesystem that correspond to their remote names. Please report any problem you may experience to the bug-wget@gnu.org mailing list. For the maintainers of wget, Giuseppe