Univention Bugzilla – Bug 41662
wget: minor issues (4.1)
Last modified: 2017-08-16 13:34:09 CEST
Minor issue in wget: * Lack of filename checking allows arbitrary file upload via FTP redirect (CVE-2016-4971)
* Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open (CVE-2016-7098)
Upstream Debian package version 1.13.4-3+deb7u4 fixes this issue: * CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL (CVE-2017-6508) CVE-2016-4971 has been fixed in 1.13.4-3+deb7u3. CVE-2016-7098 will probably not get fixed (CVSS: 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N)
repo_admin.py -U -d wheezy -r 4.1 -s errata4.1-4 -p wget b41-scope errata4.1-4 wget Advisory: wget.yaml
Looks good What I tested: wget univention.de -> works -> OK changelog -> OK YAML -> OK Verified
<http://errata.software-univention.de/ucs/4.1/451.html>