This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Security Advisory and Request for Wget Update: 1.10.2
- From: Alan Dobkin <Cygwin at OmniComp dot org>
- To: Cygwin-Apps Mailing List <Cygwin-Apps at Cygwin dot com>
- Date: Tue, 15 Nov 2005 15:33:56 -0500
- Subject: Security Advisory and Request for Wget Update: 1.10.2
- References: <435BE891.1020602@users.sourceforge.net>
FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):
> The latest stable version of Wget is 1.10.2. This release contains
> fixes for a major security problem: a remotely exploitable buffer
> overflow vulnerability in the NTLM authentication code. All Wget users
> are strongly encouraged to upgrade their Wget installation to the last
> release.
>
http://www.mail-archive.com/wget@sunsite.dk/msg08295.html
http://www.mail-archive.com/wget@sunsite.dk/msg08300.html
It seems that Harold Hunt is the new wget maintainer, and I do not wish
to take his place, but new releases such as this (especially security
updates that affect Windows) should be provided in a timely manner.
Thanks,
Alan
P. S. -- Apparently this is the same bug that also affected cURL, which
has no current maintainer....
On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:
> cURL is vulnerable to a buffer overflow which could lead to the
> execution of arbitrary code.
>
> Solution: upgrade to 7.15.0.
>
> Workaround until solved:
> Disable NTLM authentication by not using the --anyauth or --ntlm
> options when using cURL (the command line version). Workarounds for
> programs that use the cURL library depend on the configuration options
> presented by those programs.
>
> http://security.gentoo.org/glsa/glsa-200510-19.xml
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
> http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities
>
>
> Yaakov