Your message dated Mon, 06 Sep 2010 14:49:24 +0000
with message-id <e1osd0e-0006ye...@franck.debian.org>
and subject line Bug#590296: fixed in wget 1.12-2.1
has caused the Debian Bug report #590296,
regarding wget: CVE-2010-2252 use of server provided file name might lead to
overwriting arbitrary files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
590296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590296
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wget
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.
CVE-2010-2252[0]:
| GNU Wget 1.12 and earlier uses a server-provided filename instead of
| the original URL to determine the destination filename of a download,
| which allows remote servers to create or overwrite arbitrary files via
| a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx
| redirect to a URL with a crafted filename, and possibly execute
| arbitrary code as a consequence of writing to a dotfile in a home
| directory.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2252
http://security-tracker.debian.org/tracker/CVE-2010-2252
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpZIoP4DLTJz.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: wget
Source-Version: 1.12-2.1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:
wget_1.12-2.1.debian.tar.gz
to main/w/wget/wget_1.12-2.1.debian.tar.gz
wget_1.12-2.1.dsc
to main/w/wget/wget_1.12-2.1.dsc
wget_1.12-2.1_i386.deb
to main/w/wget/wget_1.12-2.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 590...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 05 Sep 2010 15:33:19 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.12-2.1
Distribution: unstable
Urgency: high
Maintainer: Noèl Köthe <n...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
wget - retrieves files from the web
Closes: 590296
Changes:
wget (1.12-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-2252: use of server provided file name might lead to
overwriting arbitrary files. Thanks to Marc Deslauriers and the Ubuntu
Security team (Closes: #590296)
Checksums-Sha1:
6ed5a030bc892c9e5337bc94233f66c869b77ab9 1055 wget_1.12-2.1.dsc
d4c1c8bbe431d6131cbd7ed2e4fc37dd7cef3611 48308 wget_1.12-2.1.debian.tar.gz
5ff232b31aaf55ee3c75d16afda5c839be6f2731 754210 wget_1.12-2.1_i386.deb
Checksums-Sha256:
9dc82d34550a4fac9aaa641bc91814955401cb40c27dfe871aca922ecae5c04a 1055
wget_1.12-2.1.dsc
1e9b0c4c00eae6b4172baae219a14857f4002382b9d7a289de7ab789c402ad78 48308
wget_1.12-2.1.debian.tar.gz
cb9e58b88e2f912b1e54a3f9add637346a0a4b04f02298a0607c5b42b4bb0d8d 754210
wget_1.12-2.1_i386.deb
Files:
8809917dbb6e80f4aff6ecea5143b2a4 1055 web important wget_1.12-2.1.dsc
e93123c934e3c141916f472f380278c2 48308 web important
wget_1.12-2.1.debian.tar.gz
766a0813615ec37f2b09159b38e47c3a 754210 web important wget_1.12-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyDnx8ACgkQNxpp46476arPNACeN6IO7LaZXhFXFCg5ya3rp7ht
QboAnRNLZUSSQRsHW4G+SavJJ0F/kKJy
=dCAw
-----END PGP SIGNATURE-----
--- End Message ---
