Bug 16689

+++ This bug was initially created as a clone of Bug #16342 +++

Upstream has released version 1.31 on July 8:
http://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html

This updated version is currently considered a "beta," as it changes the behavior of an API, and they haven't yet committed to retaining that change going forward.  We probably shouldn't update it until they do so.  It fixes a security issue in applications that use the API in an unsafe manner.

It was announced on the oss-security list on July 6 that wget and curl are two applications that are affected:
http://openwall.com/lists/oss-security/2015/07/06/5

cURL's approach was to disable libidn support by default, which I have also done in Cauldron.  If we are able to update to a "fixed" version of libidn in the future, we can re-enable curl's libidn support in Cauldron at that time.  For stable releases, it doesn't sound like it will ever make sense to backport this change in libidn, so disabling curl's libidn support there seems to be the way to go.  I have checked this change into Mageia 4 and Mageia 5 SVN.

wget has implemented a change to mitigate the impact of this issue, regardless of what libidn does.  I have checked this patch into Mageia 4, Mageia 5, and Cauldron SVN.

Unfortunately, libidn 1.32 requires an updated gettext to build, and the patched wget won't build.