Your message dated Mon, 27 Oct 2014 13:11:51 +0100
with message-id <[email protected]>
and subject line Re: Bug#766981: CVE-2014-4877: wget: FTP symlink arbitrary 
filesystem access
has caused the Debian Bug report #766981,
regarding CVE-2014-4877: wget: FTP symlink arbitrary filesystem access
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
766981: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766981
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: wget
Version: 1.15-1
Severity: important
Tags: fixed-upstream, security, upstream

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7

"""
Wget was susceptible to a symlink attack which could create arbitrary files,
directories or symbolic links and set their permissions when retrieving a
directory recursively through FTP. This commit changes the default settings in
Wget such that Wget no longer creates local symbolic links, but rather traverses
them and retrieves the pointed-to file in such a retrieval. The old behaviour
can be attained by passing the --retr-symlinks=no option to the Wget invokation
command.
"""

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlROLg0ACgkQXf6hBi6kbk//KgCfY1kB9+jp++XGb1GMlekuBirP
IbEAoMBHvnAupKh7npnyUcyxyzk9R6R6
=uiOZ
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
fixed 766981 1.16-1
tags 766981 + confirmed
thanks

Am Montag, den 27.10.2014, 13:35 +0200 schrieb Henri Salo:

> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
> 
> """
> Wget was susceptible to a symlink attack which could create arbitrary files,
> directories or symbolic links and set their permissions when retrieving a
> directory recursively through FTP. This commit changes the default settings in
> Wget such that Wget no longer creates local symbolic links, but rather 
> traverses
> them and retrieves the pointed-to file in such a retrieval. The old behaviour
> can be attained by passing the --retr-symlinks=no option to the Wget 
> invokation
> command.
> """

This is fixed in the today released version of wget 1.16 which is
already uploaded to unstable:

https://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html

https://packages.qa.debian.org/w/wget/news/20141027T104935Z.html

It will be in the archive in the next hours.

Regards

        Noël

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---

Reply via email to