oss-sec mailing list archives
Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability
From: Solar Designer <solar () openwall com>
Date: Tue, 17 Aug 2010 23:09:05 +0400
On Wed, Jun 09, 2010 at 03:47:42PM -0400, Steven M. Christey wrote:
CVE-2010-2252 - wget
This is finally getting fixed in wget upstream: http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html Giuseppe had to come up with his own patch (included at the end of the posting above). He "couldn't" use Florian's patch for licensing reasons (getting a patch into an FSF project requires some paperwork sent to the FSF, and somehow this process got stalled at some stage). The new option name is "--trust-server-names". Some criticism from a wget user, and Giuseppe's answer (which I agree with): http://lists.gnu.org/archive/html/bug-wget/2010-08/msg00004.html So things look good. We should expect this feature and the safe default in the next wget release. (I did not test the patch myself, but I "trust" that it works.) Alexander
Current thread:
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Solar Designer (Aug 17)