Debian: DSA-1904-1 Important: Fix for Wget Remote SSL Vulnerability
debian
October 9, 2009
Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using http(s) and ftp, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates...
Topics Covered
Summary
Daniel Stenberg discovered that wget, a network utility to retrieve files from
the Web using http(s) and ftp, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" published at the Blackhat conference some time ago. This
allows an attacker to perform undetected man-in-the-middle attacks via a crafted
ITU-T X.509 certificate with an injected null byte in the Common Name field.
For the oldstable distribution (etch), this problem has been fixed in
version 1.10.2-2+etch1.
For the stable distribution (lenny), this problem has been fixed in
version 1.11.4-2+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 1.12-1.
We recommend that you upgrade your wget packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list ...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: wget
CVE ID: CVE-2009-3490
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!