A security issue was fixed in wget 1.20.1: https://www.openwall.com/lists/oss-security/2019/01/01/1
Assigning to the registered maintainer.
Assignee: bugsquad => lists.jjorgeCC: (none) => marja11
Pushed to testing. Suggested advisory : Since version 1.19 Wget stores the URL and in certain cases the 'Referer' URL within extended attributes (xattrs) of the file system - by default. This includes username + password and other credentials or private data *if* those have been used within the URLs. Anyone with read access to those files might also read the xattrs and might use the data. Wget 1.20.1 or higher will not use xattrs by default any more. To enable it again you have to use the --xattr option or xattr command for .wgetrc files. Single RPM: wget-1.20.1-1.mga6
Assignee: lists.jjorge => qa-bugsStatus: NEW => ASSIGNED
Testing M6 x64 AFTER update: wget-1.20.1-1.mga6 The CVE-2018-20483 references showed no test case for the problem. I changed MCC media management to use wget as its downloader. Then applied several outstanding updates. I then followed previous tests in: https://bugs.mageia.org/show_bug.cgi?id=23002#c6 $ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21 Got the page OK, crudely formatted, viewed locally. It could probably be improved with some wget options. $ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html This test downloads the large and complicated Inkscape manual adjusted for local viewing. It really hammers wget; the result viewed at random was impeccable. Advisory done from comments 2 & 0 + bug title. Validating.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0015.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED