A security issue fixed upstream in wget has been announced today (October 27): http://openwall.com/lists/oss-security/2014/10/27/3 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877). The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877 https://bugzilla.redhat.com/show_bug.cgi?id=1139181 ======================== Updated packages in core/updates_testing: ======================== wget-1.14-2.1.mga3 wget-1.14-4.1.mga4 from SRPMS: wget-1.14-2.1.mga3.src.rpm wget-1.14-4.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
FYI. I'm using http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c as well.
CC: (none) => oe
Thanks, it looks like RedHat is doing the same (they just had a copy-paste error in their bug). I've added it too. Same advisory, just bumped the subrel. Advisory: ======================== Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877). The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877 https://bugzilla.redhat.com/show_bug.cgi?id=1139181 ======================== Updated packages in core/updates_testing: ======================== wget-1.14-2.2.mga3 wget-1.14-4.2.mga4 from SRPMS: wget-1.14-2.2.mga3.src.rpm wget-1.14-4.2.mga4.src.rpm
Testing complete mga4 64 Just testing wget is still able to fetch files via ftp.. $ wget ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/wget-1.14-4.2.mga4.x86_64.rpm --2014-10-27 16:31:27-- ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/wget-1.14-4.2.mga4.x86_64.rpm => âwget-1.14-4.2.mga4.x86_64.rpmâ Resolving distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)... 134.157.176.20 Connecting to distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)|134.157.176.20|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing ... done. ==> SIZE wget-1.14-4.2.mga4.x86_64.rpm ... 507304 ==> PASV ... done. ==> RETR wget-1.14-4.2.mga4.x86_64.rpm ... done. Length: 507304 (495K) (unauthoritative) 100%[===================================================================================>] 507,304 717KB/s in 0.7s 2014-10-27 16:31:28 (717 KB/s) - âwget-1.14-4.2.mga4.x86_64.rpmâ saved [507304]
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32 & 64 and mga4 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0431.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/618320/