On 4/4/19 4:42 PM, Josef Moellers wrote: > On 04.04.19 09:27, Tim Rühsen wrote: >> On 4/4/19 3:14 AM, Secunia Research wrote: >>> Hello, >>> >>> We are currently processing a report published by a third-party [1] for GNU >>> wget and are currently evaluating it to publish a Secunia Advisory for this. >>> Please see the original report for details. >>> >>> We would appreciate to receive your comments on those issues before we >>> publish our advisory based on this information. >>> >>> * Can you confirm the vulnerability? >> >> Yes > > Can you please elaborate what EXACTLY the vulnerability is? I have > searched through the (quite hefty) diff between 1.20.1 and 1.20.2 and > have found only 4 differences that may be viewed as these, but the > changes in > src/ftp-ls.c and > src/http.c > do not fix a vulnerability. > The CVE-entry is not quite helpful, to say the least ;-)
Well, I could tell you details since I have a PoC and I made the fix. But maybe there is a reason why the JVN people dont't include the PoC within their report. I am asking them... Regards, Tim
signature.asc
Description: OpenPGP digital signature
