Bug 20613 - wget new security issue CVE-2017-6508
Summary: wget new security issue CVE-2017-6508
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2017-04-01 03:03 CEST by David Walser
Modified: 2017-04-04 08:45 CEST (History)
4 users (show)

See Also:
Source RPM: wget-1.19.1-1.mga6.src.rpm
Status comment:


Description David Walser 2017-04-01 03:03:01 CEST
openSUSE has issued an advisory today (March 31):
David Walser 2017-04-01 03:03:10 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-01 15:08:56 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 José Jorge 2017-04-02 22:08:13 CEST
I have registered as maintainer, so I'll take this one.

CC: (none) => lists.jjorge

Comment 3 José Jorge 2017-04-02 22:27:21 CEST
Pushed to cauldron.
Comment 4 José Jorge 2017-04-02 22:51:23 CEST
Same patch used for 1.15 version in MGA5

Suggested Advisory :

Wget till version 1.19.1 does not ensure no control characters are used in the url. This security update reject control characters in host part of URL.

Ref : https://nvd.nist.gov/vuln/detail/CVE-2017-6508

RPMS: only one i586 x86_64 and SRPM in core/updates_testing


Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Dave Hodgins 2017-04-03 22:56:01 CEST
Mageia 5 x86_64.
From http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Before the update ...
$ wget ' hi%0a/'
--2017-04-03 16:47:06--  http://[]/
Resolving\r\ncookie: hi\n (\r\ncookie: hi\n)...
Connecting to
cookie: hi
cookie: hi
)||:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2017-04-03 16:47:06 ERROR 400: Bad Request.

With the update ...
$ wget ' hi%0a/' hi%0a/: Invalid host name.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA5-64-OK advisory

Dave Hodgins 2017-04-03 23:00:18 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-04-04 08:45:03 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.