Debian Bug report logs -
#836503
wget: CVE-2016-7098: files rejected by access list are kept on the disk for the duration of HTTP connection
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 3 Sep 2016 14:24:01 UTC
Severity: normal
Tags: security, upstream
Found in version wget/1.16-1
Fixed in version wget/1.18-4
Done: Noël Köthe <noel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noël Köthe <noel@debian.org>:
Bug#836503; Package src:wget.
(Sat, 03 Sep 2016 14:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noël Köthe <noel@debian.org>.
(Sat, 03 Sep 2016 14:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wget
Version: 1.16-1
Severity: normal
Tags: security upstream
Hi,
the following vulnerability was published for wget.
CVE-2016-7098[0]:
|files rejected by access list are kept on the disk for the duration of
|HTTP connection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7098
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Mon, 26 Sep 2016 13:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 26 Sep 2016 13:39:09 GMT) (full text, mbox, link).
Message #10 received at 836503-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.18-4
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 836503@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Sep 2016 18:01:04 +0200
Source: wget
Binary: wget wget-udeb
Architecture: source amd64
Version: 1.18-4
Distribution: unstable
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Closes: 836503
Changes:
wget (1.18-4) unstable; urgency=medium
.
* added patches to fix CVE-2016-7098
files rejected by access list are kept on the disk for the duration of
HTTP connection closes: #836503
Checksums-Sha1:
291409e4877a776fc990097d94b3f214d87d8baa 1870 wget_1.18-4.dsc
e13a3885742ae9301a09188a3fbab703b3003ce3 21408 wget_1.18-4.debian.tar.xz
7b1dba90d3386478a205a68eb5271f66e567ece4 449942 wget-dbgsym_1.18-4_amd64.deb
348a068e19a2a14451031bc44c05c78b19ca2d43 147960 wget-udeb_1.18-4_amd64.udeb
4b37b0bd9dfe772c0668415214375d36f2465934 799128 wget_1.18-4_amd64.deb
Checksums-Sha256:
0c40295fd54d845b9c81c06b985f334771bd6e6d3d19007b251852aeff03b2a2 1870 wget_1.18-4.dsc
30f87c9465311bd1ab935dce7b1b6d9e1be3c9ff5c40a43f052f145a823debd9 21408 wget_1.18-4.debian.tar.xz
41bac7e07398f4ab346bbc66ac06e4b76d1ae8d1f2221ed9ed4c148e088f354f 449942 wget-dbgsym_1.18-4_amd64.deb
57653909a40d04301997da5f697cc5cca1ee91b9e653e9f5175a4a61896ead23 147960 wget-udeb_1.18-4_amd64.udeb
4735184a63e8d8d60e5f69605f24d3fecd721d96ac1db791acb5a53af95f5e56 799128 wget_1.18-4_amd64.deb
Files:
5491df3da812cc6ea3bcc7f7200fba3f 1870 web important wget_1.18-4.dsc
2ce75e615cbcbffd97be7bf32d946fac 21408 web important wget_1.18-4.debian.tar.xz
d5769d5c0774c58cbcfd3331e845a15c 449942 debug extra wget-dbgsym_1.18-4_amd64.deb
85c024a6aed027d77c745d1859939bae 147960 debian-installer extra wget-udeb_1.18-4_amd64.udeb
7b0f082da09f5b9fb557dd288bae892b 799128 web important wget_1.18-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJX6R57AAoJEGjAeL6I+AzaxMsP/2Hln/ZaYKQxmIh470xkrI4n
MeFKkW49yqFVIMCQEOz3n5azQCipjgAnGN1JnkCGfez0rUpra2ZlB/aFzx/TgnEr
8MC1AafmCJlm4spKBiXLfrKcQtp6UfcEG3I1o08FA6QPAJTMuXoxmV7vseoZdk8M
ker2yt4emfuF9GdzNzwpyWmwagkNc7WNgo2ctZMZcBSONk7CSf5sJTt0N4u586xk
WWGlSYWwhasY3iaRIZ671xiOzb4LfVQcLDLMPMNBhbs9gyw0ppbkqGLbsWJScePk
bqF0crIGXxFiz1LTyy5a/OHvrcUSvGEIt2sNf/8TU43eMRrtEW9HCvtymXWWengO
T6tc4Wocsw/XK0UI7SW4Gpx0OF9VoURq99wpP6s8mhrfGboy11MiU2wHtYWzQudC
0xXIvjHMMRKKmbnYrYgArtDkazqjMKgsq/EamYcFGlYhmoCRVtKQtG8yKMfImfOK
TQyruf71B08dcoaiTceQAvqM0yZeqUZEbdYwOngJaAsvub8Nrgi/8h88gQmNWAnH
7AGVhOjRVav0KmeEuPM7IS8w6U/VvkpaPpso/C236Xr1XiT0ged7Mz7FsWteCHv6
i17wmhOiaTN9qkF0r1WcYaicwpcX0ghAbYVLCpVgNJIgUtPKO+KcT6q9RIX6hMj6
w2x4NYn03MrBBEFEOYLl
=aily
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Oct 2016 07:25:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon