[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1DgT7Q-0004Sz-FL@mercury.mandriva.com>
Date: Thu, 09 Jun 2005 13:55:12 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:098 - Updated wget packages fix vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: wget
Advisory ID: MDKSA-2005:098
Date: June 9th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Two vulnerabilities were found in wget. The first is that an HTTP
redirect statement could be used to do a directory traversal and
write to files outside of the current directory. The second is that
HTTP redirect statements could be used to overwrite dot ('.') files,
potentially overwriting the user's configuration files (such as
.bashrc, etc.).
The updated packages have been patched to help address these problems
by replacing dangerous directories and filenames containing the dot ('.')
character with an underscore ('_') character.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1488
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
e61a21190da94a75eaaf083eb894dd3e 10.0/RPMS/wget-1.9.1-4.1.100mdk.i586.rpm
368f43f3ff9dbbe4502e84a38bac5786 10.0/SRPMS/wget-1.9.1-4.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
cf379f576b75dee53b747897bfe89c03 amd64/10.0/RPMS/wget-1.9.1-4.1.100mdk.amd64.rpm
368f43f3ff9dbbe4502e84a38bac5786 amd64/10.0/SRPMS/wget-1.9.1-4.1.100mdk.src.rpm
Mandrakelinux 10.1:
d182df118b7e9ade64b77983dff47fc4 10.1/RPMS/wget-1.9.1-4.2.101mdk.i586.rpm
91f8cbb93a4453a68c13bd12620e3e4e 10.1/SRPMS/wget-1.9.1-4.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64:
64827a4a355d106a477cb4b5bcf882cb x86_64/10.1/RPMS/wget-1.9.1-4.2.101mdk.x86_64.rpm
91f8cbb93a4453a68c13bd12620e3e4e x86_64/10.1/SRPMS/wget-1.9.1-4.2.101mdk.src.rpm
Mandrakelinux 10.2:
99aa2d3e18afa3e7ef1d3b746b70e431 10.2/RPMS/wget-1.9.1-5.1.102mdk.i586.rpm
fdf0fdde2c0d220c7b9cf755c3a28a98 10.2/SRPMS/wget-1.9.1-5.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
d6793d9ab06478949aa9bb75aa216138 x86_64/10.2/RPMS/wget-1.9.1-5.1.102mdk.x86_64.rpm
fdf0fdde2c0d220c7b9cf755c3a28a98 x86_64/10.2/SRPMS/wget-1.9.1-5.1.102mdk.src.rpm
Corporate Server 2.1:
e058c63a097aadc247458e54e092c03a corporate/2.1/RPMS/wget-1.8.2-3.2.C21mdk.i586.rpm
f45e8a97e6d535fc27d0053813959145 corporate/2.1/SRPMS/wget-1.8.2-3.2.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
89ae60b0b75411c6abb5774795f09af0 x86_64/corporate/2.1/RPMS/wget-1.8.2-3.2.C21mdk.x86_64.rpm
f45e8a97e6d535fc27d0053813959145 x86_64/corporate/2.1/SRPMS/wget-1.8.2-3.2.C21mdk.src.rpm
Corporate 3.0:
bcf947efa32f9ce531077faf5e470e98 corporate/3.0/RPMS/wget-1.9.1-4.2.C30mdk.i586.rpm
ab34a60ca4ebf44d2e02988e19df5929 corporate/3.0/SRPMS/wget-1.9.1-4.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
66190c6d61c180ec8a3bc8592ca55da6 x86_64/corporate/3.0/RPMS/wget-1.9.1-4.2.C30mdk.x86_64.rpm
ab34a60ca4ebf44d2e02988e19df5929 x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCqJ6gmqjQ0CJFipgRAlg6AKDkBBuwiP9H+OJIXwYGC0mLbyO0GgCdEvJY
kr610c8omeAtLtN+YLKS6C0=
=8PPd
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists