Hi, As pointed out by fcambus, a new wget release is available. It fixes CVE-2016-4971.
Release announce: https://lists.gnu.org/archive/html/bug-wget/2016-06/msg00033.html Noteworthy changes: * By default, on server redirects to a FTP resource, use the original URL to get the local file name. Close CVE-2016-4971. This introduces a backward-incompatibility for HTTP->FTP redirects and any script that relies on the old behaviour must use --trust-server-names. * Check the HSTS file is not world-writable before using it. * Parse <img srcset> attributes on a recursive download. * Fix problem with SNI server names having trailing dot(s) * New options --bind-dns-address and --dns-servers. * When Wget is built with libiconv, it now converts non-ASCII URIs to the locale's codeset when it creates files. The encoding of the remote files and URIs is taken from --remote-encoding, defaulting to UTF-8. The result is that non-ASCII URIs and files downloaded via HTTP/HTTPS and FTP will have names on the local filesystem that correspond to their remote names. 5 wget test fails: FAIL: Test--https.py FAIL: Test-pinnedpubkey-der-https.py FAIL: Test-pinnedpubkey-hash-https.py FAIL: Test-pinnedpubkey-pem-https.py FAIL: Test-hsts.py but I didn't find yet why it fails. It looks like manually wget works as expected. Comments? OK? Cheers, Daniel Index: Makefile =================================================================== RCS file: /cvs/ports/net/wget/Makefile,v retrieving revision 1.70 diff -u -p -r1.70 Makefile --- Makefile 27 Mar 2016 03:26:11 -0000 1.70 +++ Makefile 19 Jun 2016 09:04:58 -0000 @@ -2,7 +2,7 @@ COMMENT = retrieve files from the web via HTTP, HTTPS and FTP -DISTNAME = wget-1.17.1 +DISTNAME = wget-1.18 CATEGORIES = net HOMEPAGE = https://www.gnu.org/software/wget/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/wget/distinfo,v retrieving revision 1.17 diff -u -p -r1.17 distinfo --- distinfo 27 Mar 2016 03:26:11 -0000 1.17 +++ distinfo 19 Jun 2016 09:04:58 -0000 @@ -1,2 +1,2 @@ -SHA256 (wget-1.17.1.tar.xz) = /lWbYeucwBY1rGIGoU4Cy1FZGDjDX6g8ekqsrgvdl8k= -SIZE (wget-1.17.1.tar.xz) = 1894140 +SHA256 (wget-1.18.tar.xz) = tbVbdXJsBMBv4lPa7JMppvGjwMGHjj6nbr/rwTnqnME= +SIZE (wget-1.18.tar.xz) = 1922376 Index: patches/patch-doc_wget_texi =================================================================== RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v retrieving revision 1.10 diff -u -p -r1.10 patch-doc_wget_texi --- patches/patch-doc_wget_texi 27 Mar 2016 03:26:11 -0000 1.10 +++ patches/patch-doc_wget_texi 19 Jun 2016 09:04:58 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-doc_wget_texi,v 1.10 2016/03/27 03:26:11 danj Exp $ ---- doc/wget.texi.orig Thu Dec 10 23:25:14 2015 -+++ doc/wget.texi Sat Mar 26 12:24:37 2016 +--- doc/wget.texi.orig Fri Jun 3 13:55:13 2016 ++++ doc/wget.texi Sun Jun 19 10:57:35 2016 @@ -191,14 +191,14 @@ gauge can be customized to your preferences. Most of the features are fully configurable, either through command line options, or via the initialization file @file{.wgetrc} (@pxref{Startup @@ -18,7 +18,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.10 201 Default location of the @dfn{global} startup file. @item .wgetrc -@@ -3036,9 +3036,8 @@ commands. +@@ -3067,9 +3067,8 @@ commands. @cindex location of wgetrc When initializing, Wget will look for a @dfn{global} startup file, @@ -30,7 +30,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.10 201 Then it will look for the user's file. If the environmental variable @code{WGETRC} is set, Wget will try to load that file. Failing that, no -@@ -3048,7 +3047,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi +@@ -3079,7 +3078,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi The fact that user's settings are loaded after the system-wide ones means that in case of collision user's wgetrc @emph{overrides} the
