Date: Tue, 17 Aug 2010 23:09:05 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability On Wed, Jun 09, 2010 at 03:47:42PM -0400, Steven M. Christey wrote: > CVE-2010-2252 - wget This is finally getting fixed in wget upstream: http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html Giuseppe had to come up with his own patch (included at the end of the posting above). He "couldn't" use Florian's patch for licensing reasons (getting a patch into an FSF project requires some paperwork sent to the FSF, and somehow this process got stalled at some stage). The new option name is "--trust-server-names". Some criticism from a wget user, and Giuseppe's answer (which I agree with): http://lists.gnu.org/archive/html/bug-wget/2010-08/msg00004.html So things look good. We should expect this feature and the safe default in the next wget release. (I did not test the patch myself, but I "trust" that it works.) Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.