Debian Bug report logs -
#879957
wget CVE-2017-13089/CVE-2017-13090
Reported by: Henri Salo <henri@nerv.fi>
Date: Fri, 27 Oct 2017 16:42:02 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in versions wget/1.16-1, wget/1.19.1-5
Fixed in versions 1.16-1+deb8u4, 1.18-5+deb9u1, wget/1.19.2-1
Done: Noël Köthe <noel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#879957; Package wget.
(Fri, 27 Oct 2017 16:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Noël Köthe <noel@debian.org>.
(Fri, 27 Oct 2017 16:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wget
Version: 1.19.1-5
Severity: important
Tags: security, upstream, fixed-upstream
Following vulnerabilities have been fixed in Wget.
CVE-2017-13089
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
CVE-2017-13090
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
--
Henri Salo
Marked as fixed in versions 1.16-1+deb8u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Oct 2017 17:45:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Oct 2017 17:45:06 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Fri, 27 Oct 2017 17:45:07 GMT) (full text, mbox, link).
Marked as fixed in versions 1.18-5+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Oct 2017 17:45:07 GMT) (full text, mbox, link).
Marked as found in versions wget/1.16-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 27 Oct 2017 17:45:08 GMT) (full text, mbox, link).
Message sent on
to Henri Salo <henri@nerv.fi>:
Bug#879957.
(Fri, 27 Oct 2017 17:45:18 GMT) (full text, mbox, link).
Message #18 received at 879957-submitter@bugs.debian.org (full text, mbox, reply):
# version pending for DSA
close 879957 1.16-1+deb8u4
close 879957 1.18-5+deb9u1
thanks
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:36:06 GMT) (full text, mbox, link).
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Sat, 28 Oct 2017 15:51:03 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sat, 28 Oct 2017 15:51:03 GMT) (full text, mbox, link).
Message #25 received at 879957-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.19.2-1
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879957@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Oct 2017 16:50:54 +0200
Source: wget
Binary: wget wget-udeb
Architecture: source amd64
Version: 1.19.2-1
Distribution: unstable
Urgency: high
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Closes: 879957
Changes:
wget (1.19.2-1) unstable; urgency=high
.
* new upstream release from 2017-10-27 fixes
CVE-2017-13089/CVE-2017-13090 closes: Bug#879957
* debian/watch added opts=pgpmode=auto
* added debian/upstream/signing-key.asc
* debian/control updated Standards Version to 4.1.1 (needed change
see above)
* removed upstream included debian/patches/CVE-2017-6508
* updated debian/patches/gnulib.git.patch
Checksums-Sha1:
a1bf0c44c3816fd442ab25e6acd5a8bc33556b79 2170 wget_1.19.2-1.dsc
02f99202df6e540e91bc3764455a27ff9db02167 4349267 wget_1.19.2.orig.tar.gz
b021f834ec1c813f020cde55717358a28d9c4374 566 wget_1.19.2.orig.tar.gz.asc
739db68f9314d00767af0f7a01c7e2e108e8b079 27876 wget_1.19.2-1.debian.tar.xz
768ddcab90f5ee2e8988fbeb4e97849024fd5584 467224 wget-dbgsym_1.19.2-1_amd64.deb
bb13d1b576bd4783a7ca80391f0e870638746d45 152332 wget-udeb_1.19.2-1_amd64.udeb
960ddce6a30b3ee3df7a27551aff53338fff1bb0 7340 wget_1.19.2-1_amd64.buildinfo
77c02e6f7a6c7c3e965ea5094a78c42d8ed97ebb 867760 wget_1.19.2-1_amd64.deb
Checksums-Sha256:
1df31cab2aac1492bffc768fe50e83052b55e7ff40e890fc3c34a0b16a8fbe24 2170 wget_1.19.2-1.dsc
4f4a673b6d466efa50fbfba796bd84a46ae24e370fa562ede5b21ab53c11a920 4349267 wget_1.19.2.orig.tar.gz
094777a894b05397024fad497ef723bd5d9e607bbd0c8c62f8ddef1b4fbce7ff 566 wget_1.19.2.orig.tar.gz.asc
a9506f344c88e09b5ea02ac5cd5e571d407c59e1b559889d90722aff5e26235d 27876 wget_1.19.2-1.debian.tar.xz
7288b9d6fb0dcf03947d94e782ee83a4116c33d3253ffe2e964e7f56ee90dc2a 467224 wget-dbgsym_1.19.2-1_amd64.deb
0d48fbc5b5c71626b2261718c047660aae0a1806ef7ac6e5494d4902e19c8305 152332 wget-udeb_1.19.2-1_amd64.udeb
8e41f52525954a45be2eb70b27d20201b1d89662091b329abdaf0cb13d044734 7340 wget_1.19.2-1_amd64.buildinfo
1f93f7f3c92d41036385323a5942fa71cf550b5d2e7da9da66fa516dd879cf88 867760 wget_1.19.2-1_amd64.deb
Files:
a59670446a420ede6030865dededd30f 2170 web important wget_1.19.2-1.dsc
caabf9727fa429626316619a6369fffa 4349267 web important wget_1.19.2.orig.tar.gz
d9acf45480d1cd3006ffefd2ceb73c54 566 web important wget_1.19.2.orig.tar.gz.asc
d8084c67483d0b7f8c5770a33ad67fd8 27876 web important wget_1.19.2-1.debian.tar.xz
f9e8169cab26ea59ea3df4609ce8511c 467224 debug optional wget-dbgsym_1.19.2-1_amd64.deb
f2fa4d2331a4c65bfd7c477bfc2da90a 152332 debian-installer optional wget-udeb_1.19.2-1_amd64.udeb
feaf0e80a09ffd8db7318c0e243ac964 7340 web important wget_1.19.2-1_amd64.buildinfo
b258a05a7c49c9afbb94944b97ef4316 867760 web important wget_1.19.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAln0oCUACgkQaMB4voj4
DNolYBAAn196rPw480BeUelrfEauayssXg1aNRZLu4zlDsXKP0gq72Hpq8mARIzs
HHY0tYFwvmQWPzfgJQXbvAOq3HRLu2p6tLP6Ww9aCWwhZ+Ybfm8t7MFvm6zd5Vt8
apZwokCcAuqrlGDficPHVo5N5lM3sBw/dfcOEUcNebqioTUnG13SpkTGGKwo9MZx
7KKh09pvqmqpwdb3s9kBF46a8aa/mX84K5GPhXSPX+VPTI3hhFhFEyY3ACCx8BhE
rgQfDpbVtusFpC+RzDKNC2XvLlougYeuPRYPZbz6ccKZl00HjTiC+P3KiiRW7sBT
HuptWSaJtTae4u9Q0OtCYtrqSGLZaeqLjww4wBjQv4luMMCJRle8eKbGVrDYzgvF
237T9GbEXrN3WaWrF0QJ2vbPenduWequulY925W4lS0znSQUHGcJXmxrbjorFIir
Yy8hwqFb6Vtv89S5SwXC+UVH43OKQ+WlKPPJRnBCwBTJwQbXk6N+NxKkSl7t3Woe
f62dVkSHC3CSzrlvy2vYDS3Glc0KMQQNpsNIsrVYTdAKQ3MeUDBZwag73ECTCvK6
557yzpF8a++JJ3GNP6ElEptFlD88hZUexkNhBfG4MMXilbaYtKQw5pqySvy7XMAY
zZjZM7JJHnh4naEypkMINgDjF6lgq3Hi8E3KAPxXAAsZZqxXds4=
=eJIQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Dec 2017 07:28:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:53:08 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon