Sent from my iPhone
> On Nov 2, 2014, at 1:06 PM, Luciano Bello <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3062-1 [email protected] > http://www.debian.org/security/ Luciano Bello > November 01, 2014 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : wget > CVE ID : CVE-2014-4877 > Debian Bug : 766981 > > HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line > utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability > allows to create arbitrary files on the user's system when Wget runs in > recursive mode against a malicious FTP server. Arbitrary file creation > may override content of user's files or permit remote code execution with > the user privilege. > > This update changes the default setting in Wget such that it no longer > creates local symbolic links, but rather traverses them and retrieves the > pointed-to file in such a retrieval. > > For the stable distribution (wheezy), this problem has been fixed in > version 1.13.4-3+deb7u2. > > For the unstable distribution (sid), this problem has been fixed in > version 1.16-1. > > We recommend that you upgrade your wget packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1 > tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+ > uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu > 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+ > 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX > Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ > bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK > ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW > 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG > t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc > 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins > 0sYvWVBAefAMZH6eAnuy > =bD/d > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > Archive: https://lists.debian.org/3051189.XDyDVgVXoy@box > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
