Debian Bug report logs -
#898076
wget: CVE-2018-0494: cookie injection
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 6 May 2018 18:57:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions wget/1.19.4-1, wget/1.16-1
Fixed in versions wget/1.19.5-1, wget/1.18-5+deb9u2, wget/1.16-1+deb8u5
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://savannah.gnu.org/bugs/?53763
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, tim.ruehsen@gmx.de, team@security.debian.org, Noël Köthe <noel@debian.org>:
Bug#898076; Package src:wget.
(Sun, 06 May 2018 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, tim.ruehsen@gmx.de, team@security.debian.org, Noël Köthe <noel@debian.org>.
(Sun, 06 May 2018 18:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wget
Version: 1.19.4-1
Severity: grave
Tags: patch security upstream fixed-upstream
Hi,
The following vulnerability was published for wget.
CVE-2018-0494[0]:
cookie injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-0494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494
[1] https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions wget/1.16-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 06 May 2018 19:03:09 GMT) (full text, mbox, link).
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Sun, 06 May 2018 19:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 06 May 2018 19:24:03 GMT) (full text, mbox, link).
Message #14 received at 898076-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.19.5-1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 May 2018 20:44:40 +0200
Source: wget
Binary: wget wget-udeb
Architecture: source amd64
Version: 1.19.5-1
Distribution: unstable
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Closes: 898076
Changes:
wget (1.19.5-1) unstable; urgency=medium
.
* new upstream release from 2018-05-06
* includes a fix for CVE-2018-0494 closes: Bug#898076
Checksums-Sha1:
67c53ed6a63c14b8571cf244ee2705a439bd1d2a 2155 wget_1.19.5-1.dsc
43b3d09e786df9e8d7aa454095d4ea2d420ae41c 4455797 wget_1.19.5.orig.tar.gz
acdc05c52f1e15e88eef506d10dcfacfb6d1d09d 879 wget_1.19.5.orig.tar.gz.asc
cef6cc3b94b0c68809bc684019fc261baeb3bf34 60208 wget_1.19.5-1.debian.tar.xz
b6905111fecf7e3e563759d6d7c130406dec11d1 464476 wget-dbgsym_1.19.5-1_amd64.deb
79de3ba553017ce08c1a43c224a7ee52154324ff 148872 wget-udeb_1.19.5-1_amd64.udeb
09663fb76acb27e3bb758cb22731720dcb3a1137 7525 wget_1.19.5-1_amd64.buildinfo
8b7bd32e3daa5890b38b6d0b85481d56dcaec6ea 869316 wget_1.19.5-1_amd64.deb
Checksums-Sha256:
0171f759be8a7b460e4ee01e932a80dda40125780c73fba675be9959a0affe1e 2155 wget_1.19.5-1.dsc
b39212abe1a73f2b28f4c6cb223c738559caac91d6e416a6d91d4b9d55c9faee 4455797 wget_1.19.5.orig.tar.gz
f2058db1f155fc5564de797d11dc40f5fa721f35e36e02bf06332771db150ef7 879 wget_1.19.5.orig.tar.gz.asc
24e48282b093e87b1b90f5874ae7446386b13ffe61ad68e1681522f3576fd161 60208 wget_1.19.5-1.debian.tar.xz
c71fa6b044717d4971820a8218b22de1c6bbee38e558e9b42b7e85dcbf2eadb2 464476 wget-dbgsym_1.19.5-1_amd64.deb
396d8275be89d9387233662a87cd721b358a2167d93f69e4fc9ee117b18320b8 148872 wget-udeb_1.19.5-1_amd64.udeb
c83f7721e0bd455237d41f20520fa16aad637287a71506eca646fc5e7a221e55 7525 wget_1.19.5-1_amd64.buildinfo
6559cd5c53f631c755ed26351131527bb29b2fcfda5d975175be2a72a0a75b59 869316 wget_1.19.5-1_amd64.deb
Files:
1f42f43e02ab33230eaabbb9407b0a84 2155 web standard wget_1.19.5-1.dsc
2db6f03d655041f82eb64b8c8a1fa7da 4455797 web standard wget_1.19.5.orig.tar.gz
7939647e90819ed664eef433acbf06bd 879 web standard wget_1.19.5.orig.tar.gz.asc
3fdd45f809ccebff0484dbbc1b7f4042 60208 web standard wget_1.19.5-1.debian.tar.xz
4897ea8b4858ac979b797faf6286db4d 464476 debug optional wget-dbgsym_1.19.5-1_amd64.deb
8f7b74c6e1ec55d0df53a045a5eed6da 148872 debian-installer optional wget-udeb_1.19.5-1_amd64.udeb
5d6ecc6599bd9d9c8f131d9ee56805f0 7525 web standard wget_1.19.5-1_amd64.buildinfo
ce55496bd6c4f4935720ba338f7611b9 869316 web standard wget_1.19.5-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAlrvUeIACgkQaMB4voj4
DNqxyhAAj8jbffDZsgft9jMhkHsMQ6pz7VOtCaiNV3hycZnYmPMFC8x9xDhgkD20
V3sgE4HKNErmeX5MnYd1MfKAw1bpyLvKc6uEZcydgmXT+awxF1k5T/nySPt+RBQ/
WvfmcRc5OrIIp+vS69LM5OIRs/xCauIGRL1dQ9UT8XRZynqmHxBI9hM6b9NuH8bv
dK9rnalRzftiC5Y5wUiomO+5WNnfojeeJn3+o+6j21UX/rMojgQU4LgzYRA4R9Hk
T55Zo8GPhE1YZeGt/3/c9FzuJtX5snwqoFmA+CgpkSlkKKjtPquI0PBZNjXDUtjV
jnqYsdniuhbUnG/yd5mnb/q8cfp2U+iWQjA37qFFm6SY3HbGkxOT13ceJp73u4Jj
DvTNilAY7vKI5F2nZooDBeBvgrd5VPb3HQvRFyBuWmbuPA2wsfuduIrEwq/VOZ+6
CZFAGnGtFlh45A4P7MvG9UzIzmGlM6fX70s151YwBpT12RXM+3gUTJxVU0xY/uSe
wIQOt4cMKIAaMAc4QzfNxmb8bv9Anv8lIwM9C5JV3nQkc7uP2pMGkGWNYBKG1Acw
4aLK9QThz2o0NFVfqGk3IvD1rNXRW5jWs6+3NXYCY0D8QI7N9JZ7zYDQBMNLNAOb
R7xku8O5LWW/9CnC+cFCRn65nZyH6p/Hj46tS73PtETRXYBg0wI=
=jg3O
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 13 May 2018 20:54:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 13 May 2018 20:54:08 GMT) (full text, mbox, link).
Message #19 received at 898076-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.18-5+deb9u2
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 May 2018 21:08:15 +0200
Source: wget
Binary: wget wget-udeb
Architecture: source
Version: 1.18-5+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 898076
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Changes:
wget (1.18-5+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cookie injection (CVE-2018-0494) (Closes: #898076)
Checksums-Sha1:
e583bd9815eb30b794a36bdd7a63503a2af639b6 2085 wget_1.18-5+deb9u2.dsc
cf9db92ff7cccd07353f0fc330dd7a1653b1e335 23308 wget_1.18-5+deb9u2.debian.tar.xz
Checksums-Sha256:
613256e709fb78230402013e0f30c6cd9dfa441a3c705c96a6ecd419c5adde8a 2085 wget_1.18-5+deb9u2.dsc
8d98535e4062442c1eb0bcdb557551ee64323f09352528f741afd20ed81b09b1 23308 wget_1.18-5+deb9u2.debian.tar.xz
Files:
95cd20d45d7e087c88ff1b60635363ae 2085 web important wget_1.18-5+deb9u2.dsc
f562c4458ea3aa9213de3608db60f792 23308 web important wget_1.18-5+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrvVRBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E9hgP/1CvC7g3BfYlQTiEuiutYLrx8dhYu0AC
AjBZxaUXqBKNf/TZ5a4gCXF8W2EKdBu/zw9dG3tGvVicJz2dom6bbaOMjt78B8KO
AhbV1Zew/0EkYhYJvLDoklE4wpIKCTLEBT2BT2Jicv0zIl6k9dUuIbgNZZHG4Q2K
RuC1rSKGbZLUiMIMAclbSCyDmF5H/4aVQc/NGr9C/TldWRRqG6a/g16eZ/TKkEXh
ouaMAbyj3gGh/evggCNG40qGdS81gC9MYGMLOQObpzWNMiVw4xtzRP9J3boUzK63
Rx+wg4sflfvUIyXe1D8zDmQcupm3mC3bwh4lypns5oH7phQPU+r5SG8ZvJ9bQeLz
VJ/niCPUwkk5u2EDvTsfSS0a5cnJMCBV9oHfAm+S6REIhQkLL1MMT6wwlQ6I1uQ9
97JJBElN1yWDReygsMSVq8qPd4mKMmMyC5LVCR3OxSMNjFGi4Pryi8bM9TyCGcLR
yzigR1p/rd9ytxkFN9igyCA1GPaq/4NQJjIPMJnRFcyjzIMknX2pmYsYlc6D3N3z
oTostbfAm4x4ikjARUyFPIV9uzQ/q+GTVUgg4CRIIz/3q9emIkKFN6fR4eW1x/pT
a3kSyJUrHWAyB3lUnZfqpRHMgHOxWAEec4Q1lcJeZmOLkv6BJWwNip0SxdYa39nJ
8u+c9Zv9r+ir
=l5Zj
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 13 May 2018 20:57:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 13 May 2018 20:57:06 GMT) (full text, mbox, link).
Message #24 received at 898076-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.16-1+deb8u5
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 May 2018 21:24:51 +0200
Source: wget
Binary: wget
Architecture: source
Version: 1.16-1+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 898076
Description:
wget - retrieves files from the web
Changes:
wget (1.16-1+deb8u5) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cookie injection (CVE-2018-0494) (Closes: #898076)
Checksums-Sha1:
a0a2b72c4378cbe282e86488fa26b8cd9a108ba5 1938 wget_1.16-1+deb8u5.dsc
3d414aff4cd836a0f1f5ed35af8b900cd64f7eb9 23544 wget_1.16-1+deb8u5.debian.tar.xz
Checksums-Sha256:
7b899a289fafd193a3f37f53eb539583330f2235e16916d007d8cd6387022265 1938 wget_1.16-1+deb8u5.dsc
14427e02817a510a7e43828ef87842c93cecc37397ebbed450df61d1d8f303da 23544 wget_1.16-1+deb8u5.debian.tar.xz
Files:
419fe0b71ff73a89a1db3457998c6004 1938 web important wget_1.16-1+deb8u5.dsc
e639bd7bb1e6a4ce3a84df02f953adb7 23544 web important wget_1.16-1+deb8u5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrvV35fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E27EP+wVd4n8B69fxFOCwNbDUefJFXKna9hDr
TMB3lYzg9IkTJHmJSKL7lFGYIutneYYgXHydAE52l8ucoqiTYJ6FxfJuJUhVHD+f
OrvfM3R95GtWbvPNMSVk28Nw0AfUm05hjsQo6uG52eIyVC/DX2YuUWD2VNlZOuzv
S5O1a8vy5KYC1UY3p5ASaVmZNFuHHikDqoSOB+YdKK2us87e+7chIydsm6pImGU+
Ok6wPRYioL9j5roUMPsZPcp9YwI0f/oWgLsfogVieL7pbG4ewDSlFC73OYl1N4/v
4yrZjz/gLzvGmfMb3Cgh7GIlSoNHTiRb6OR+UfouMZReRjpqM6auX2kNnViqUcf/
fWY7J8cVxefOoeka95DnDLmXJiQGOBvb2rkj2KoAgvNd7Qe70DUfKBZWMOZoBzk2
PQjDQB7jtmlS24LhMgdgO+y5rObEIS5ZzRgbxHebgYwowRoHY5LLEX2XmsVY/0Gh
1cRQNPcPgmTrfbnVFBH3jydp1eFomF6loCzP785mnQTC+RtX3AfFJgYhI74pczj/
bcP1iwJ6IaURgTgXyvUGVe7quBoGlokgvoNowbZMDiAXfpFsfEuga8/O3eIHVRkQ
sKhDsAz3ASgHEzWKCYLZnct61kDmVRvFKX2RAJ9dqTk0mFBQpPPBgrT9y8DipNIj
AGkh8I5YVUJ9
=TIgD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 21 Jul 2018 07:33:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:00:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon