[SECURITY] [DLA 536-1] wget security update

2016-06-3020:12:28

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.957 High

EPSS

Percentile

99.4%

JSON

Package : wget
Version : 1.13.4-3+deb7u3
CVE ID : CVE-2016-4971
Debian Bug : 827003

On a server redirect from HTTP to a FTP resource, wget would trust
the HTTP server and uses the name in the redirected URL as the
destination filename.
This behaviour was changed and now it works similarly as a redirect
from HTTP to another HTTP resource so the original name is used as
the destination file. To keep the previous behaviour the user must
provide --trust-server-names.

For Debian 7 "Wheezy", these problems have been fixed in version
1.13.4-3+deb7u3.

We recommend that you upgrade your wget packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipselwget< 1.16-1+deb8u1wget_1.16-1+deb8u1_mipsel.deb
Debian8arm64wget< 1.16-1+deb8u1wget_1.16-1+deb8u1_arm64.deb
Debian7i386wget< 1.13.4-3+deb7u3wget_1.13.4-3+deb7u3_i386.deb
Debian7allwget< 1.13.4-3+deb7u3wget_1.13.4-3+deb7u3_all.deb
Debian8mipswget< 1.16-1+deb8u1wget_1.16-1+deb8u1_mips.deb
Debian8armelwget< 1.16-1+deb8u1wget_1.16-1+deb8u1_armel.deb
Debian8ppc64elwget< 1.16-1+deb8u1wget_1.16-1+deb8u1_ppc64el.deb
Debian7amd64wget< 1.13.4-3+deb7u3wget_1.13.4-3+deb7u3_amd64.deb
Debian8powerpcwget< 1.16-1+deb8u1wget_1.16-1+deb8u1_powerpc.deb
Debian7armhfwget< 1.13.4-3+deb7u3wget_1.13.4-3+deb7u3_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mipsel	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_mipsel.deb
Debian	8	arm64	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_arm64.deb
Debian	7	i386	wget	< 1.13.4-3+deb7u3	wget_1.13.4-3+deb7u3_i386.deb
Debian	7	all	wget	< 1.13.4-3+deb7u3	wget_1.13.4-3+deb7u3_all.deb
Debian	8	mips	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_mips.deb
Debian	8	armel	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_armel.deb
Debian	8	ppc64el	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_ppc64el.deb
Debian	7	amd64	wget	< 1.13.4-3+deb7u3	wget_1.13.4-3+deb7u3_amd64.deb
Debian	8	powerpc	wget	< 1.16-1+deb8u1	wget_1.16-1+deb8u1_powerpc.deb
Debian	7	armhf	wget	< 1.13.4-3+deb7u3	wget_1.13.4-3+deb7u3_armhf.deb