Your message dated Wed, 29 Mar 2017 19:47:12 +0000
with message-id <[email protected]>
and subject line Bug#857073: fixed in wget 1.16-1+deb8u2
has caused the Debian Bug report #857073,
regarding wget: CVE-2017-6508: CRLF injection in the url_parse function in url.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
857073: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857073
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wget
Version: 1.16-1
Severity: important
Tags: patch security upstream
Forwarded: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Hi,
the following vulnerability was published for wget.
CVE-2017-6508[0]:
| CRLF injection vulnerability in the url_parse function in url.c in Wget
| through 1.19.1 allows remote attackers to inject arbitrary HTTP headers
| via CRLF sequences in the host subcomponent of a URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
[1] http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
[2]
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wget
Source-Version: 1.16-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <[email protected]> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Mar 2017 15:39:29 +0100
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.16-1+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Noël Köthe <[email protected]>
Changed-By: Noël Köthe <[email protected]>
Description:
wget - retrieves files from the web
Closes: 857073
Changes:
wget (1.16-1+deb8u2) jessie; urgency=medium
.
* added upstream patch to fix CVE-2017-6508 closes: Bug#857073
Checksums-Sha1:
519c438ef6a33ddb3d978530224b75d9271afa2b 1783 wget_1.16-1+deb8u2.dsc
803b331b0c080e14d2bc1ef2291bcd3afd7d5058 22132 wget_1.16-1+deb8u2.debian.tar.xz
572f188111ad6ea93f9ff275ad1bddbe00e4e70b 495992 wget_1.16-1+deb8u2_amd64.deb
Checksums-Sha256:
69155e94c4b4166287761dbb3ed09ae6f4af9e88b0c4b42d83cb807e6f39b727 1783
wget_1.16-1+deb8u2.dsc
7271338d383459faa336b721685cf7b49ea40fb43da8910f30d07f146dff32d0 22132
wget_1.16-1+deb8u2.debian.tar.xz
2d796bb572b480ee2adfc3dac3cdb232aa45c3686827d2da1bd9ae6a013b2053 495992
wget_1.16-1+deb8u2_amd64.deb
Files:
929cce9aced3b83769369db6627391a9 1783 web important wget_1.16-1+deb8u2.dsc
ad986d4242f541ee37533a4fd9ac48e2 22132 web important
wget_1.16-1+deb8u2.debian.tar.xz
b5b911a9e1f32d3db4812f98a1b9e335 495992 web important
wget_1.16-1+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAljNclsACgkQaMB4voj4
DNqMchAAihw+uDNVXfMVNjD0xWCu13bICFDARrKH6h6mWq792YNOXFf2Qfc+OMsF
0CbFdkpeetdo110MKFh/FElhGDtHyIYwR9LF/opzbFqOybaT1hWURdyfIXhcjiRV
injmYrDp9kFxSjybzenBAxPTZ5TpHh5NiO47Jj+bu135/lUXBBE+gZ+TTNJyFXna
igKj1TMJOYjhK0LKAI8K5r3WNow+TeBRc4DjUrrSqqTyAZ7r2Q//daahnfbOp4KW
BUdRp4moNubVomjuw5hb6bQNhNIhxN/j3ksv5NphNrmXx3zaTm2hBOLS4jax75Md
BKhHX0BqY24oGHB7asRDxfYk1sftz2rxjHjZuvXiWxiR0VNRLbp0Qhfa+ryACHF7
wP+l/pvP1AlxEtA9eBkMy0pQoElsb+D2KfnRpZGBPzzkyzGMQJmSXWdL+rsntasX
RT93gijZQsY+ZviD887XISV/vp/3KqP8B65zeLo3jsZfGibfo0wWt1cIOplgznuL
6Ryv0c20AC24u33LtD8uxOizVVRgNMTSHXu8f0tuphIDOC6mXnGKta6L3GGkzKWC
9AHILeXoYxdmp3quDBGjpIf7crlnZfvLkgiQVvjCn+lRoR8umZN+KbeGwJdGhr7t
4pLTioR5J3w4Hz0K7s54RtR0LZL8eCdq7ac8kHFbv3jU+TskuoM=
=MxSi
-----END PGP SIGNATURE-----
--- End Message ---
