Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Scientific Linux: SLSA-2014:0151-1 Low: wget Security Fix

Scientific Large Esm H446
Low: wget security and bug fix update
Date: Mon, 10 Feb 2014 19:18:59 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Low: wget on SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Low: wget security and bug fix update
Advisory ID: SLSA-2014:0151-1
Issue Date: 2014-02-10
CVE Numbers: None
--

It was discovered that wget used a file name provided by the server when
saving a downloaded file. This could cause wget to create a file with a
different name than expected, possibly allowing the server to execute
arbitrary code on the client. (CVE-2010-2252)

Note: With this update, wget always uses the last component of the
original URL as the name for the downloaded file. Previous behavior of
using the server provided name or the last component of the redirected URL
when creating files can be re-enabled by using the '--trust-server-names'
command line option, or by setting 'trust_server_names=on' in the wget
start-up file.

This update also fixes the following bugs:

* Prior to this update, the wget package did not recognize HTTPS SSL
certificates with alternative names (subjectAltName) specified in the
certificate as valid. As a consequence, running the wget command failed
with a certificate error. This update fixes wget to recognize such
certificates as valid.
--

SL6
 x86_64
 wget-1.12-1.11.el6_5.x86_64.rpm
 wget-debuginfo-1.12-1.11.el6_5.x86_64.rpm
 i386
 wget-1.12-1.11.el6_5.i686.rpm
 wget-debuginfo-1.12-1.11.el6_5.i686.rpm

- Scientific Linux Development Team