[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability
From: Solar Designer <solar () openwall ! com>
Date: 2010-08-17 19:09:05
Message-ID: 20100817190905.GA5658 () openwall ! com
[Download RAW message or body]
On Wed, Jun 09, 2010 at 03:47:42PM -0400, Steven M. Christey wrote:
> CVE-2010-2252 - wget
This is finally getting fixed in wget upstream:
http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html
Giuseppe had to come up with his own patch (included at the end of the
posting above). He "couldn't" use Florian's patch for licensing reasons
(getting a patch into an FSF project requires some paperwork sent to the
FSF, and somehow this process got stalled at some stage).
The new option name is "--trust-server-names".
Some criticism from a wget user, and Giuseppe's answer (which I agree with):
http://lists.gnu.org/archive/html/bug-wget/2010-08/msg00004.html
So things look good. We should expect this feature and the safe default
in the next wget release.
(I did not test the patch myself, but I "trust" that it works.)
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic