This is a bugfix release:
"due to some privacy issues in default settings of Wget, we introduce
this bugfix release.
The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.
We changed three details as a countermeasure, see below in the NEWS section.
With Best Regards, Tim
...
NEWS
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Hi,
Excerpts from official announcement:
"This version fixes CVE-2018-0494 (Cookie injection vulnerability) found
by Harry Sintonen.
This version fixes several issues, mostly found by OSS-Fuzz.
It also introduces TLS1.3 with OpenSSL, a new option --ciphers and
updates the CSS grammar to version 2.2.
...
Noteworthy changes:
* Fix cookie injection (CVE-2018-0494)
* Enable TLS1.3 with recent OpenSSL environment
* New option --ciphers to set GnuTLS / OpenSSL ciphers directly
* Updated CSS grammar to CSS 2.2
* Fixed several memleaks found by OSS-Fuzz
* Fixed several buffer overflows found by OSS-Fuzz
* Fixed several integer overflows found by OSS-Fuzz
* Several minor bug fixes"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This version does not seem to be compatible with OpenSSL 1.1
and might be changed back to OpenSSL when ever it will compile.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Excerpts from changelog (Details => http://git.savannah.gnu.org/cgit/wget.git):
"Switch off compression by default
Gzip compression has a number of bugs which need to be ironed out before we can support it
by default. Some of these stem from a misunderstanding of the HTTP spec, but a lot of them
are also due to many web servers not
being compliant with RFC 7231.
With this commit, I am marking GZip compression support as experimental
in GNU Wget pending further investigation and the addition of tests.
* src/http.c (gethttp): Fix bug that prevented all files from being decompressed
* src/host.c (sufmatch): Fix to domain matching
Replace HTTP urls with HTTPS where valid
Avoid redirecting output to file when tcgetpgrp fails
* src/log.c (check_redirect_output): tcgetpgrp can return -1 (ENOTTY),
be sure to check whether a valid controlling terminal exists before
redirecting. (Fixes: #51181)
Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes CVE-2017-13089
A stack-based buffer overflow when processing chunked, encoded HTTP
responses was found in wget. By tricking an unsuspecting user into
connecting to a malicious HTTP server, an attacker could exploit
this flaw to potentially execute arbitrary code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Excerpt from annoncement:
"This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget. The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.
On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file. To keep the previous behaviour the user must
provide --trust-server-names."
Best,
Mat-backfromholidays-thias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
