PLDSA [3-1] New wget packages fix directory traversal
Krzysiek Taraszka
dzimi at pld.org.pl
Sat Jan 4 13:19:26 CET 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 3-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
22 December 2002 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : wget prior to 1.8.2-1
Vulnerability : directory traversal
PLD-specific : no
CVE : CAN-2002-1344
Steven M. Christey discovered that wget did not verify the FTP server
response to a NLST command: it must not contain any directory information,
since that can be used to make a FTP client overwrite arbitrary files.
The above problems have been fixed in version 1.8.2-2 for the
current stable distribution (ra).
We recommend that you upgrade your wget packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'wget*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'wget*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/wget-1.8.2-2.src.rpm
MD5 checksum: 83f108b10c874a78c4b41eaa6952e78f
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/wget-1.8.2-2.i386.rpm
MD5 checksum: 7112b87f0eada7ff19bc7cce68c7b681
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/wget-1.8.2-2.i586.rpm
MD5 checksum: 00fbe6d783905b8edb4011639e92b4c3
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/wget-1.8.2-2.i686.rpm
MD5 checksum: f192bf834d7398d55c39f462102f1147
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/wget-1.8.2-2.ppc.rpm
MD5 checksum: 2493a967054a5d3a17967efc07f42064
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list