On Sun, Jun 19, 2016 at 12:02:36PM +0200, Daniel Jakots wrote: > Hi, > > As pointed out by fcambus, a new wget release is available. It fixes > CVE-2016-4971. > > Release announce: > https://lists.gnu.org/archive/html/bug-wget/2016-06/msg00033.html > > Noteworthy changes: > > * By default, on server redirects to a FTP resource, use the original > URL to get the local file name. Close CVE-2016-4971. This > introduces a backward-incompatibility for HTTP->FTP redirects and > any script that relies on the old behaviour must use > --trust-server-names. > > * Check the HSTS file is not world-writable before using it. > > * Parse <img srcset> attributes on a recursive download. > > * Fix problem with SNI server names having trailing dot(s) > > * New options --bind-dns-address and --dns-servers. > > * When Wget is built with libiconv, it now converts non-ASCII URIs to > the locale's codeset when it creates files. The encoding of the > remote files and URIs is taken from --remote-encoding, defaulting to > UTF-8. The result is that non-ASCII URIs and files downloaded via > HTTP/HTTPS and FTP will have names on the local filesystem that > correspond to their remote names. > > 5 wget test fails: > FAIL: Test--https.py > FAIL: Test-pinnedpubkey-der-https.py > FAIL: Test-pinnedpubkey-hash-https.py > FAIL: Test-pinnedpubkey-pem-https.py > FAIL: Test-hsts.py > but I didn't find yet why it fails. It looks like manually wget works as > expected. > > Comments? OK? >
simple tests, works fine, ok shadchin@ > Cheers, > Daniel > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/wget/Makefile,v > retrieving revision 1.70 > diff -u -p -r1.70 Makefile > --- Makefile 27 Mar 2016 03:26:11 -0000 1.70 > +++ Makefile 19 Jun 2016 09:04:58 -0000 > @@ -2,7 +2,7 @@ > > COMMENT = retrieve files from the web via HTTP, HTTPS and FTP > > -DISTNAME = wget-1.17.1 > +DISTNAME = wget-1.18 > CATEGORIES = net > > HOMEPAGE = https://www.gnu.org/software/wget/ > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/wget/distinfo,v > retrieving revision 1.17 > diff -u -p -r1.17 distinfo > --- distinfo 27 Mar 2016 03:26:11 -0000 1.17 > +++ distinfo 19 Jun 2016 09:04:58 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (wget-1.17.1.tar.xz) = /lWbYeucwBY1rGIGoU4Cy1FZGDjDX6g8ekqsrgvdl8k= > -SIZE (wget-1.17.1.tar.xz) = 1894140 > +SHA256 (wget-1.18.tar.xz) = tbVbdXJsBMBv4lPa7JMppvGjwMGHjj6nbr/rwTnqnME= > +SIZE (wget-1.18.tar.xz) = 1922376 > Index: patches/patch-doc_wget_texi > =================================================================== > RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v > retrieving revision 1.10 > diff -u -p -r1.10 patch-doc_wget_texi > --- patches/patch-doc_wget_texi 27 Mar 2016 03:26:11 -0000 1.10 > +++ patches/patch-doc_wget_texi 19 Jun 2016 09:04:58 -0000 > @@ -1,6 +1,6 @@ > $OpenBSD: patch-doc_wget_texi,v 1.10 2016/03/27 03:26:11 danj Exp $ > ---- doc/wget.texi.orig Thu Dec 10 23:25:14 2015 > -+++ doc/wget.texi Sat Mar 26 12:24:37 2016 > +--- doc/wget.texi.orig Fri Jun 3 13:55:13 2016 > ++++ doc/wget.texi Sun Jun 19 10:57:35 2016 > @@ -191,14 +191,14 @@ gauge can be customized to your preferences. > Most of the features are fully configurable, either through command line > options, or via the initialization file @file{.wgetrc} (@pxref{Startup > @@ -18,7 +18,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.10 201 > Default location of the @dfn{global} startup file. > > @item .wgetrc > -@@ -3036,9 +3036,8 @@ commands. > +@@ -3067,9 +3067,8 @@ commands. > @cindex location of wgetrc > > When initializing, Wget will look for a @dfn{global} startup file, > @@ -30,7 +30,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.10 201 > > Then it will look for the user's file. If the environmental variable > @code{WGETRC} is set, Wget will try to load that file. Failing that, no > -@@ -3048,7 +3047,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi > +@@ -3079,7 +3078,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi > > The fact that user's settings are loaded after the system-wide ones > means that in case of collision user's wgetrc @emph{overrides} the > -- Alexandr Shadchin
