USN-982-1: Wget vulnerability

2 September 2010

wget vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Summary

Software Description

  • wget

Details

It was discovered that Wget would use filenames provided by the server when following 3xx redirects. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name (e.g. .wgetrc), and possibly run arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.04 LTS
wget - 1.12-1.1ubuntu2.1
Ubuntu 9.10
wget - 1.11.4-2ubuntu2.1
Ubuntu 9.04
wget - 1.11.4-2ubuntu1.2
Ubuntu 8.04 LTS
wget - 1.10.2-3ubuntu1.2
Ubuntu 6.06 LTS
wget - 1.10.2-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

ATTENTION: This update changes previous behaviour by ignoring the filename supplied by the server during redirects. To re-enable previous behaviour, use the new –trust-server-names option.

References