FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005): > The latest stable version of Wget is 1.10.2. This release contains > fixes for a major security problem: a remotely exploitable buffer > overflow vulnerability in the NTLM authentication code. All Wget users > are strongly encouraged to upgrade their Wget installation to the last > release. >
http://www.mail-archive.com/[email protected]/msg08295.html http://www.mail-archive.com/[email protected]/msg08300.html It seems that Harold Hunt is the new wget maintainer, and I do not wish to take his place, but new releases such as this (especially security updates that affect Windows) should be provided in a timely manner. Thanks, Alan P. S. -- Apparently this is the same bug that also affected cURL, which has no current maintainer.... On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote: > cURL is vulnerable to a buffer overflow which could lead to the > execution of arbitrary code. > > Solution: upgrade to 7.15.0. > > Workaround until solved: > Disable NTLM authentication by not using the --anyauth or --ntlm > options when using cURL (the command line version). Workarounds for > programs that use the cURL library depend on the configuration options > presented by those programs. > > http://security.gentoo.org/glsa/glsa-200510-19.xml > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 > http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities > > > Yaakov
