Updated wget2 packages fix security vulnerability

Arbitrary File Write via Metalink Path Traversal in GNU Wget2. CVE-2025-69194...

CVE-2025-69194

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially...

AZL-73901 CVE-2025-69194 affecting package wget for versions less than 2.1.0-7

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially...

CVE-2025-69194 Wget2: arbitrary file write via metalink path traversal in gnu wget2

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially...

SUSE CVE-2021-22922

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and...

GLSA-202212-01 : curl: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202212-01 curl: Multiple Vulnerabilities - When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the...

NewStart CGSL MAIN 6.02 : curl Multiple Vulnerabilities (NS-SA-2022-0083)

The remote NewStart CGSL host, running version MAIN 6.02, has curl packages installed that are affected by multiple vulnerabilities: - Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. CVE-2020-8231 - A malicious server can use the FTP...

AlmaLinux 8 : curl (ALSA-2021:3582)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:3582 advisory. - When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The...

Mageia: Security Advisory (MGASA-2021-0384)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP9 : curl (EulerOS-SA-2021-2707)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.T...

Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2021-2627)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP8 : curl (EulerOS-SA-2021-2627)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.T...

CentOS 8 : curl (CESA-2021:3582)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:3582 advisory. - curl: Content not matching hash in Metalink is not being discarded CVE-2021-22922 - curl: Metalink download sends credentials CVE-2021-22923 - curl:...

Moderate: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the C...

curl: Content not matching hash in Metalink is not being discarded

A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity...

RLSA-2021:3582 Moderate: curl security update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fixes: curl: Content not matching hash in Metalink is not being discarded CVE-2021-22922 curl: Metalink download sends credentials...

Moderate: curl security update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fixes: curl: Content not matching hash in Metalink is not being discarded CVE-2021-22922 curl: Metalink download sends credentials...

CVE-2021-22922

A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity...

When curl is instructed to download content using the metalink feature thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

...

When curl is instructed to get content using the metalink feature and a user name and password are used to download the metalink XML file those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

...