SUSE has issued an advisory on June 24: https://lists.suse.com/pipermail/sle-updates/2024-June/035703.html The fix is: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mageia 9 is also affected.
Status comment: (none) => Patch available from upstreamSource RPM: (none) => wget-1.21.4-1.mga9.src.rpmCVE: (none) => CVE-2024-38428Whiteboard: (none) => MGA9TOO
Status comment: Patch available from upstream => Patch available from openSUSE and upstream
Assigning to all packagers collectively, because wget has no registered maintainer.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. (CVE-2024-38428) References: https://lists.suse.com/pipermail/sle-updates/2024-June/035703.html ======================== Updated package in core/updates_testing: ======================== wget-1.21.4-1.1.mga9 from SRPM: wget-1.21.4-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 9Status comment: Patch available from openSUSE and upstream => (none)
Installed and tested without issues. Tested: - http 1, 1.1 and 2; - https with CA signed and self signed certificates; - IPv4 and IPv6; - ftp and ftps; - user and password authentication. All seems to work correctly. System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux $ rpm -q wget wget-1.21.4-1.1.mga9
CC: (none) => mageia
installed update - ran updates through our gui utility against an ftp site, confirming the utility was using wget. No issues. All updates were successful.
CC: (none) => brtians1
mga9-64 OK here § Downloaded files from an internet server, HTTPS § used drakrpm configured to use wget to install an app... IMO, this need to be tested on 32 bit as well. @Brian, what arch in comment 4?
CC: (none) => fri
RH mageia 9 i586 rpm -q wget wget-1.21.4-1.1.mga9 uninstall application am reinstall with urpmi --debug the output confirm the use of wget, the url of repository is https type Works OK
Keywords: (none) => advisory
(In reply to Morgan Leijström from comment #5) > mga9-64 OK here > > § Downloaded files from an internet server, HTTPS > > § used drakrpm configured to use wget to install an app... > > > IMO, this need to be tested on 32 bit as well. > > @Brian, what arch in comment 4? 64-bit. Good point - I'll test 32-bit later today.
MGA9-32, Mate $ uname -a Linux localhost 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 18:40:36 UTC 2024 i686 GNU/Linux updated wget used it to install audacious and play some music. Working
Whiteboard: (none) => MGA9-32-OK
(In reply to Brian Rockwell from comment #8) > MGA9-32, Mate > > $ uname -a > Linux localhost 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 > 18:40:36 UTC 2024 i686 GNU/Linux > > > updated wget > > used it to install audacious and play some music. > > Working Note - I used wget against HTTP this time.
I think this is good to move.
Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0240.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED