Debian Bug report logs -
#857073
wget: CVE-2017-6508: CRLF injection in the url_parse function in url.c
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noël Köthe <noel@debian.org>:
Bug#857073; Package src:wget.
(Tue, 07 Mar 2017 19:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Noël Köthe <noel@debian.org>.
(Tue, 07 Mar 2017 19:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wget
Version: 1.16-1
Severity: important
Tags: patch security upstream
Forwarded: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Hi,
the following vulnerability was published for wget.
CVE-2017-6508[0]:
| CRLF injection vulnerability in the url_parse function in url.c in Wget
| through 1.19.1 allows remote attackers to inject arbitrary HTTP headers
| via CRLF sequences in the host subcomponent of a URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
[1] http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
[2] http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Sat, 18 Mar 2017 15:21:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Mar 2017 15:21:04 GMT) (full text, mbox, link).
Message #10 received at 857073-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.19.1-2
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857073@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Mar 2017 14:52:26 +0100
Source: wget
Binary: wget wget-udeb
Architecture: source amd64
Version: 1.19.1-2
Distribution: unstable
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Closes: 857073
Changes:
wget (1.19.1-2) unstable; urgency=medium
.
* added upstream patch to fix CVE-2017-6508 closes: Bug#857073
Checksums-Sha1:
9a9f9e7795ac233aef8a6b317962d713367e8839 1917 wget_1.19.1-2.dsc
f052eee3379c9169ca84f254b82f3e35f0800235 20508 wget_1.19.1-2.debian.tar.xz
cbcd05186a4321340ce41d8ecd0fcc4c7c5f9d33 459504 wget-dbgsym_1.19.1-2_amd64.deb
dabd11bc7de89c7c29ad2b8897b69e7dd63e24f8 150746 wget-udeb_1.19.1-2_amd64.udeb
42f83db40b99f67f66a33ccf8af79ae64c8c067d 7277 wget_1.19.1-2_amd64.buildinfo
7823b54d5255f9ba740324cc278b8612ca7a1530 857260 wget_1.19.1-2_amd64.deb
Checksums-Sha256:
2bd3c638ef797ceb74538f1b9ab58edb4a50a417f3ab417381efd772d23b5ca7 1917 wget_1.19.1-2.dsc
59f42a5f9499247608c05a8c02a8dae520b1cf91dcf7361e85a88de413a66720 20508 wget_1.19.1-2.debian.tar.xz
a003872cf344ab19f5a9239b2de5d65d5b15944ddfd9f4fd0a751adc09d22154 459504 wget-dbgsym_1.19.1-2_amd64.deb
822552a579501a3e761d84192b628f34919f40e24bde94f45da579b64485a5ee 150746 wget-udeb_1.19.1-2_amd64.udeb
b474166c13a0f2099a8dd8f4d58bc0d208eed404f7b854d2f2f77808a411a2dd 7277 wget_1.19.1-2_amd64.buildinfo
684f657e530e1d8b1a1545af597055f1523369145203f784a31d8c70928f6aa4 857260 wget_1.19.1-2_amd64.deb
Files:
558713962be21f8eebcbbb68f411f734 1917 web important wget_1.19.1-2.dsc
b79d91722492f3a2bbe68f1e2ede1acc 20508 web important wget_1.19.1-2.debian.tar.xz
0133e2fc56b588253f97b6f154371a67 459504 debug extra wget-dbgsym_1.19.1-2_amd64.deb
1b885274ddc6a8a8f120bc9de3fa3af1 150746 debian-installer extra wget-udeb_1.19.1-2_amd64.udeb
197895c5230a6ef7adf2c9cbbe762915 7277 web important wget_1.19.1-2_amd64.buildinfo
17802db484f356c38bdab94fbc3f14e0 857260 web important wget_1.19.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAljNPKgACgkQaMB4voj4
DNqvhg//Rndd/NyeQTyjFbsjxL8ClUHxe84OltBz0mApkxl4tQaEix8jY87q/t6k
HywR4vshmsDOYnwLfWB3OUcxuwKoaQo2QnqbSLKFdtImL8+N7vPDygt7FSQa0GS/
bTybH10lE9QLkCmJH7vNhL3OUwnPonZuRTPtgr1vgut1768fxbC+GYw58e34KwEO
da8M3lY9mVWTMaUALPHoyefsZjh6dElVSXbUKhxOPqv5hKkGH4EG05SdLtw0rHwK
3Cth4eKGCAFtd+OdIuA/awdVQ5gQt/gU0JcTCN6hBjTYF9yTZyTJLgaSDimZ5zMN
w1dXNiRxgFmmqA7mF9QCE9fmeMiAI9Ezl1PY/L5onU/Ch0KQ9TlQ/dbKauTXY7aj
YS0X9q9DR+vLWnwI5+bpILWZLxQQH5KAdSPp2as7gKQ3EClhcgBUOwa6AxIylVYC
TJL9EIb/eIHRYCyafNS+ee3EZBZUBRC83RE84OMgZwy++smRWE8uPYXmGuj8P4Pa
m/ia13Hw2B1EaOkUMYwJtVGxHRUYW47kEQMM6SbJ4I2rIFesNrqTpE8ckg02vhW5
6aYsf0NLJ6ouPxOdw/5NrcmoAF7D/LMh7cPOPIJ/qt/ISfMJrZDCEcVJpYtdTajb
ubxaAjA4Gf34ORt/RQGX2PLLKnZce7rXaGmlweVi3QDAPTY7eTQ=
=bnGd
-----END PGP SIGNATURE-----
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Sat, 18 Mar 2017 16:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Mar 2017 16:09:05 GMT) (full text, mbox, link).
Message #15 received at 857073-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.18-5
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857073@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Mar 2017 15:12:55 +0100
Source: wget
Binary: wget wget-udeb
Architecture: source amd64
Version: 1.18-5
Distribution: testing-proposed-updates
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
wget-udeb - retrieves files from the web (udeb)
Closes: 857073
Changes:
wget (1.18-5) testing-proposed-updates; urgency=medium
.
* applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
Checksums-Sha1:
3642880c307683b27ba67119a93c2abc35c4a55d 1902 wget_1.18-5.dsc
8e7e3b9c4da6c11fa0c9104bdc08b39492cdb4d2 21940 wget_1.18-5.debian.tar.xz
2f1e6ae15ac52651b6fdb2ec248bd95a9a1c5632 449980 wget-dbgsym_1.18-5_amd64.deb
eb23a83bffb83e7c3237e6a592f8a78a73815ecc 148266 wget-udeb_1.18-5_amd64.udeb
0fab04d71893b8aca9e66df7d7efbffc95087538 7222 wget_1.18-5_amd64.buildinfo
6cad3e02bf17499d2d16fa1514c5df9703defa6d 799504 wget_1.18-5_amd64.deb
Checksums-Sha256:
3aabc0aeb73b151e9e6433db98270cb88629197dec6cfd7b811f237402b27fdb 1902 wget_1.18-5.dsc
398296b9ac72a8471ad3478370d4ed674be478572ccb70f6b61950d9b1d8044f 21940 wget_1.18-5.debian.tar.xz
5a42f452f113ef28b99a15aa9f8e663bb667957a9cb6f63425a2ac83da70bad8 449980 wget-dbgsym_1.18-5_amd64.deb
683c5e60165f006d248e94f9fc1c8d54e7f01dfd98e96a16ac1ca9287bb7069f 148266 wget-udeb_1.18-5_amd64.udeb
2e2e8b22be55f19ad5d5b5f0831bc06d7beb69b1e66d3a2f74a91aa0d1c93dcc 7222 wget_1.18-5_amd64.buildinfo
cd23e0a3d59df1f8af3de690768186d829991099e9cdb8eb5716e38a1b5d83f3 799504 wget_1.18-5_amd64.deb
Files:
e0b037b6900696e001c426f2db62c7fc 1902 web important wget_1.18-5.dsc
03e65c32601669212c698bf9fb26a1f1 21940 web important wget_1.18-5.debian.tar.xz
c9980d663b309e91fe7a08c0e5ab598a 449980 debug extra wget-dbgsym_1.18-5_amd64.deb
85ae85b6538f71c43d464ef1a7f01af1 148266 debian-installer extra wget-udeb_1.18-5_amd64.udeb
576d5c2f6eb46db3e0482d88b04a9696 7222 web important wget_1.18-5_amd64.buildinfo
46a3446f4a6184ee827ab5c6a5afca65 799504 web important wget_1.18-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAljNSj4ACgkQaMB4voj4
DNrv6RAAhX3gMHJ+GPYKFWyOFWAH0CDJDuGhIPsxZCT99AmwY7xyRCW0Qk8O3rCW
4+g05GAlytFV3y47NfEEOhmf119y82JbYth4PVLbUc1EOUxf00CG+G3es/HzLJaW
EUlvDHcwEb9GML2y4jooJ01v7sGDUH4PPbPsDDRlWYQccDb5ftLCEyE+m15AN19o
uEm8RwNih4UUvg9WDzLYA/mBaS8A5WkxrKh4e5hPJnncE8GcEYog0lpqGqXecKtW
Jj/QH8CQ2cV86P4A42lrCQ/eZV1L40mi44YGzyCXQwO93eruW3oTnCfP1GFvGeYb
/AyE7jHQreuB/ubI0ev8/BREiJpyHA4Gb+/Baz7nTouWB/2v7B2Aqhr/3Eg4Oa5i
F5tGE6mqRGKnaX9jx2utBB9epSOV+a5w+z8umStZVGUedlunZjXqmJqYMysAXsRe
Dc2hZ58wiPmbJHgE5lXMbRH7fOg2A7Q2Oe25ixk0DGi2zn2eUC/eXeXW+y/+CMg3
aJOENrHp3AzH/eE9lPaYWTmiEZ9j4AF8F+eSFbnlSJLUpmngApoiw3PtYyUw5pxQ
BuB5cRDtbF1NzZSESRjo8flzR2ldFwfGC8KBR56F/GgBosxBjNM9bzV3DvH8MIx6
NTdSLhDG9uebvb6O7EllfJoUmZUqVmP7hD77j7JVoVIyUWshsUc=
=wdPP
-----END PGP SIGNATURE-----
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Wed, 29 Mar 2017 19:51:27 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 29 Mar 2017 19:51:27 GMT) (full text, mbox, link).
Message #20 received at 857073-close@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.16-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857073@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Mar 2017 15:39:29 +0100
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.16-1+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
wget - retrieves files from the web
Closes: 857073
Changes:
wget (1.16-1+deb8u2) jessie; urgency=medium
.
* added upstream patch to fix CVE-2017-6508 closes: Bug#857073
Checksums-Sha1:
519c438ef6a33ddb3d978530224b75d9271afa2b 1783 wget_1.16-1+deb8u2.dsc
803b331b0c080e14d2bc1ef2291bcd3afd7d5058 22132 wget_1.16-1+deb8u2.debian.tar.xz
572f188111ad6ea93f9ff275ad1bddbe00e4e70b 495992 wget_1.16-1+deb8u2_amd64.deb
Checksums-Sha256:
69155e94c4b4166287761dbb3ed09ae6f4af9e88b0c4b42d83cb807e6f39b727 1783 wget_1.16-1+deb8u2.dsc
7271338d383459faa336b721685cf7b49ea40fb43da8910f30d07f146dff32d0 22132 wget_1.16-1+deb8u2.debian.tar.xz
2d796bb572b480ee2adfc3dac3cdb232aa45c3686827d2da1bd9ae6a013b2053 495992 wget_1.16-1+deb8u2_amd64.deb
Files:
929cce9aced3b83769369db6627391a9 1783 web important wget_1.16-1+deb8u2.dsc
ad986d4242f541ee37533a4fd9ac48e2 22132 web important wget_1.16-1+deb8u2.debian.tar.xz
b5b911a9e1f32d3db4812f98a1b9e335 495992 web important wget_1.16-1+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAljNclsACgkQaMB4voj4
DNqMchAAihw+uDNVXfMVNjD0xWCu13bICFDARrKH6h6mWq792YNOXFf2Qfc+OMsF
0CbFdkpeetdo110MKFh/FElhGDtHyIYwR9LF/opzbFqOybaT1hWURdyfIXhcjiRV
injmYrDp9kFxSjybzenBAxPTZ5TpHh5NiO47Jj+bu135/lUXBBE+gZ+TTNJyFXna
igKj1TMJOYjhK0LKAI8K5r3WNow+TeBRc4DjUrrSqqTyAZ7r2Q//daahnfbOp4KW
BUdRp4moNubVomjuw5hb6bQNhNIhxN/j3ksv5NphNrmXx3zaTm2hBOLS4jax75Md
BKhHX0BqY24oGHB7asRDxfYk1sftz2rxjHjZuvXiWxiR0VNRLbp0Qhfa+ryACHF7
wP+l/pvP1AlxEtA9eBkMy0pQoElsb+D2KfnRpZGBPzzkyzGMQJmSXWdL+rsntasX
RT93gijZQsY+ZviD887XISV/vp/3KqP8B65zeLo3jsZfGibfo0wWt1cIOplgznuL
6Ryv0c20AC24u33LtD8uxOizVVRgNMTSHXu8f0tuphIDOC6mXnGKta6L3GGkzKWC
9AHILeXoYxdmp3quDBGjpIf7crlnZfvLkgiQVvjCn+lRoR8umZN+KbeGwJdGhr7t
4pLTioR5J3w4Hz0K7s54RtR0LZL8eCdq7ac8kHFbv3jU+TskuoM=
=MxSi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Apr 2017 07:27:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:30:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon