Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 17 Aug 2010 23:09:05 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability

On Wed, Jun 09, 2010 at 03:47:42PM -0400, Steven M. Christey wrote:
> CVE-2010-2252 - wget 

This is finally getting fixed in wget upstream:

http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html

Giuseppe had to come up with his own patch (included at the end of the
posting above).  He "couldn't" use Florian's patch for licensing reasons
(getting a patch into an FSF project requires some paperwork sent to the
FSF, and somehow this process got stalled at some stage).

The new option name is "--trust-server-names".

Some criticism from a wget user, and Giuseppe's answer (which I agree with):

http://lists.gnu.org/archive/html/bug-wget/2010-08/msg00004.html

So things look good.  We should expect this feature and the safe default
in the next wget release.

(I did not test the patch myself, but I "trust" that it works.)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.