Security Advisory and Request for Wget Update: 1.10.2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Advisory and Request for Wget Update: 1.10.2

Alan Dobkin
FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):

> The latest stable version of Wget is 1.10.2. This release contains
> fixes for a major security problem: a remotely exploitable buffer
> overflow vulnerability in the NTLM authentication code. All Wget users
> are strongly encouraged to upgrade their Wget installation to the last
> release.
>

http://www.mail-archive.com/wget@.../msg08295.html

http://www.mail-archive.com/wget@.../msg08300.html

It seems that Harold Hunt is the new wget maintainer, and I do not wish
to take his place, but new releases such as this (especially security
updates that affect Windows) should be provided in a timely manner.

Thanks,
Alan

P. S. -- Apparently this is the same bug that also affected cURL, which
has no current maintainer....


On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:

> cURL is vulnerable to a buffer overflow which could lead to the
> execution of arbitrary code.
>
> Solution:  upgrade to 7.15.0.
>
> Workaround until solved:
> Disable NTLM authentication by not using the --anyauth or --ntlm
> options when using cURL (the command line version). Workarounds for
> programs that use the cURL library depend on the configuration options
> presented by those programs.
>
> http://security.gentoo.org/glsa/glsa-200510-19.xml
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
> http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities
>
>
> Yaakov
Reply | Threaded
Open this post in threaded view
|

Re: Security Advisory and Request for Wget Update: 1.10.2

Harold L Hunt II
Alan,

Thanks for the heads up, but next time I'll take the notice without the
lip, thank you.

Harold

Alan Dobkin wrote:

> FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):
>
>
>>The latest stable version of Wget is 1.10.2. This release contains
>>fixes for a major security problem: a remotely exploitable buffer
>>overflow vulnerability in the NTLM authentication code. All Wget users
>>are strongly encouraged to upgrade their Wget installation to the last
>>release.
>>
>
>
> http://www.mail-archive.com/wget@.../msg08295.html
>
> http://www.mail-archive.com/wget@.../msg08300.html
>
> It seems that Harold Hunt is the new wget maintainer, and I do not wish
> to take his place, but new releases such as this (especially security
> updates that affect Windows) should be provided in a timely manner.
>
> Thanks,
> Alan
>
> P. S. -- Apparently this is the same bug that also affected cURL, which
> has no current maintainer....
>
>
> On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:
>
>>cURL is vulnerable to a buffer overflow which could lead to the
>>execution of arbitrary code.
>>
>>Solution:  upgrade to 7.15.0.
>>
>>Workaround until solved:
>>Disable NTLM authentication by not using the --anyauth or --ntlm
>>options when using cURL (the command line version). Workarounds for
>>programs that use the cURL library depend on the configuration options
>>presented by those programs.
>>
>>http://security.gentoo.org/glsa/glsa-200510-19.xml
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
>>http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities
>>
>>
>>Yaakov
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Security Advisory and Request for Wget Update: 1.10.2

Alan Dobkin
Harold,

My apologies for offending you, although my comment wasn't directed
specifically at you.  I wasn't sure if you were still active on the
list, since I hadn't seen you post in a while.  So, I was making a
general statement that someone should keep this package up to date.

In any case, I do appreciate your efforts, and thanks for working on the
package update.  Any chance you'd like to take on cURL at the same time?

Thanks,
Alan

On 11/15/2005 3:53 PM, Harold L Hunt II wrote:
> Alan,
>
> Thanks for the heads up, but next time I'll take the notice without
> the lip, thank you.
>
> Harold