Bug 24109

Assigning to the registered maintainer.

Assignee: bugsquad => lists.jjorge
CC: (none) => marja11

Pushed to testing. Suggested advisory :

Since version 1.19 Wget stores the URL and in certain cases
the 'Referer' URL within extended attributes (xattrs) of the file system
- by default.

This includes username + password and other credentials or private data
*if* those have been used within the URLs. Anyone with read access to
those files might also read the xattrs and might use the data.

Wget 1.20.1 or higher will not use xattrs by default any more. To enable
it again you have to use the --xattr option or xattr command for .wgetrc
files.

Single RPM:
wget-1.20.1-1.mga6

Assignee: lists.jjorge => qa-bugs
Status: NEW => ASSIGNED

Testing M6 x64

AFTER update: wget-1.20.1-1.mga6

The CVE-2018-20483 references showed no test case for the problem.

I changed MCC media management to use wget as its downloader. Then applied several outstanding updates.

I then followed previous tests in:
 https://bugs.mageia.org/show_bug.cgi?id=23002#c6

$ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21
Got the page OK, crudely formatted, viewed locally. It could probably be improved with some wget options.

$ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html
This test downloads the large and complicated Inkscape manual adjusted for local viewing. It really hammers wget; the result viewed at random was impeccable.

Advisory done from comments 2 & 0 + bug title. Validating.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0015.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED