openSUSE has issued an advisory today (March 31): https://lists.opensuse.org/opensuse-updates/2017-03/msg00113.html
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
I have registered as maintainer, so I'll take this one.
Status: NEW => ASSIGNEDCC: (none) => lists.jjorge
Pushed to cauldron.
Same patch used for 1.15 version in MGA5 Suggested Advisory : Wget till version 1.19.1 does not ensure no control characters are used in the url. This security update reject control characters in host part of URL. Ref : https://nvd.nist.gov/vuln/detail/CVE-2017-6508 RPMS: only one i586 x86_64 and SRPM in core/updates_testing wget-1.15-5.2.mga5
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
Mageia 5 x86_64. From http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html Before the update ... $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/' --2017-04-03 16:47:06-- http://[127.0.0.1%0D%0Acookie:%20hi%0A]/ Resolving 127.0.0.1\r\ncookie: hi\n (127.0.0.1\r\ncookie: hi\n)... 127.0.0.1 Connecting to 127.0.0.1 cookie: hi (127.0.0.1 cookie: hi )|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 400 Bad Request 2017-04-03 16:47:06 ERROR 400: Bad Request. With the update ... $ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/' http://127.0.0.1%0d%0aCookie%3a hi%0a/: Invalid host name.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA5-64-OK advisory
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0104.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED