Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DSA-209-1:42153
HistoryDec 12, 2002 - 10:49 p.m.

[SECURITY] [DSA-209-1] two wget problems

2002-12-1222:49:14
lists.debian.org
15

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.064

Percentile

93.7%

JSON

Debian Security Advisory DSA-209-1 [email protected]
http://www.debian.org/security/ Wichert Akkerman
December 12, 2002

Package : wget
Problem type : directory traversal
buffer overflow
Debian-specific: no
CVEs : CAN-2002-1344

Two problems have been found in the wget package as distributed in
Debian GNU/Linux:

  • Stefano Zacchiroli found a buffer overrun in the url_filename function,
    which would make wget segfault on very long URLs

  • Steven M. Christey discovered that wget did not verify the FTP server
    response to a NLST command: it must not contain any directory information,
    since that can be used to make a FTP client overwrite arbitrary files.

Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux
2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.

Obtaining updates:

By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.

With apt:
deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

Debian GNU/Linux 2.2 alias potato

Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

Source archives:

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.diff.gz
  Size/MD5 checksum:    75231 61d99d8ab75b95cd9fa2459e74182a50
http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3.orig.tar.gz
  Size/MD5 checksum:   446966 47680b25bf893afdb0c43b24e3fc2fd6
http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.dsc
  Size/MD5 checksum:     1163 9eb3c57aa94d74e3c6e4097b5d941563

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_alpha.deb
  Size/MD5 checksum:   249228 0eedd7487056460a8de93ea2ed3402f2

arm architecture (ARM)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_arm.deb
  Size/MD5 checksum:   233342 9a57b21e6611b46b3991bb38e75dbd08

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_i386.deb
  Size/MD5 checksum:   227812 fc7c576836d26cebc397c07f3bbd1488

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_m68k.deb
  Size/MD5 checksum:   224820 b967f1e1b960be2fce3fb2cae55b6710

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_powerpc.deb
  Size/MD5 checksum:   234646 48b138d481cebbe85b437d82b63285b7

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_sparc.deb
  Size/MD5 checksum:   235500 631874205d8d85378555387209a9db37

Debian GNU/Linux 3.0 alias woody

Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
powerpc, s390 and sparc. An update for mipsel is not available at this
moment.

Source archives:

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1.orig.tar.gz
  Size/MD5 checksum:  1097780 6ca8e939476e840f0ce69a3b31c13060
http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.diff.gz
  Size/MD5 checksum:     9939 69f96b6608e043e0d781061a22e90169
http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.dsc
  Size/MD5 checksum:     1217 97af60040e8d7a2cd538d18a5120cd87

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_alpha.deb
  Size/MD5 checksum:   364338 aeade9ab45904c8b6c64fcdb5934576e

arm architecture (ARM)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_arm.deb
  Size/MD5 checksum:   335972 dfe4085e95fd53be9821d1b33d79d134

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_hppa.deb
  Size/MD5 checksum:   355790 32dd606c8dc5b3d3fc8000519009de4e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_i386.deb
  Size/MD5 checksum:   332394 afc976eaaf4cd416f8eedd347d18367b

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_ia64.deb
  Size/MD5 checksum:   393540 efb82eb46927b657fa8e2706f475bf53

m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_m68k.deb
  Size/MD5 checksum:   327236 60f0449f6d0a3b4ff76beb59f1e762d0

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_mips.deb
  Size/MD5 checksum:   348676 af79ba0f16b12678594f15bdf49325b9

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_powerpc.deb
  Size/MD5 checksum:   341130 0d67a5f9b284e2088847935901333888

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_s390.deb
  Size/MD5 checksum:   336118 c731e21474d3965c851fcb3921abe979

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_sparc.deb
  Size/MD5 checksum:   340978 3ba4e8cdf1c96b5ba5fd7d52316d73e2

Debian Security team <[email protected]>
http://www.debian.org/security/
Mailing-List: [email protected]

Related

debiancve 1
nessus 3
openvas 2
nvd 1
cert 1
redhat 1
cvelist 1
cve 1
osv 1
securityvulns 2
debiancve
debiancve
CVE-2002-1344
2002-12-18 05:00:00
nessus
nessus
Mandrake Linux Security Advisory : wget (MDKSA-2002:086)
2004-07-31 00:00:00
RHEL 2.1 : wget (RHSA-2002:256)
2004-07-06 00:00:00
Debian DSA-209-1 : wget - directory traversal
2004-09-29 00:00:00
openvas
openvas
Debian Security Advisory DSA 209-1 (wget)
2008-01-17 00:00:00
Debian: Security Advisory (DSA-209)
2008-01-17 00:00:00
nvd
nvd
CVE-2002-1344
2002-12-18 05:00:00
cert
cert
wget contains directory traversal vulnerability
2002-12-10 00:00:00
redhat
redhat
(RHSA-2002:256) wget security update
2003-02-06 00:00:00
cvelist
cvelist
CVE-2002-1344
2002-12-11 05:00:00
cve
cve
CVE-2002-1344
2002-12-18 05:00:00
osv
osv
wget - directory traversal
2002-12-12 00:00:00
securityvulns
securityvulns
Directory Traversal Vulnerabilities in FTP Clients
2002-12-11 00:00:00
[NEWS] Directory Traversal Vulnerabilities in FTP Clients
2002-12-11 00:00:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.064

Percentile

93.7%

JSON
Related for DEBIAN:DSA-209-1:42153
debiancve1nessus3openvas2nvd1cert1redhat1cvelist1cve1osv1securityvulns2