Source: wget Version: 1.20-1 Severity: important Tags: security upstream Hi,
The following vulnerability was published for wget. CVE-2018-20483[0]: | set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's | origin URL in the user.xdg.origin.url metadata attribute of the | extended attributes of the downloaded file, which allows local users to | obtain sensitive information (e.g., credentials contained in the URL) | by reading this attribute, as demonstrated by getfattr. This also | applies to Referer information in the user.xdg.referrer.url metadata | attribute. According to 2016-07-22 in the Wget ChangeLog, | user.xdg.origin.url was partially based on the behavior of fwrite_xattr | in tool_xattr.c in curl. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
