This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security Advisory and Request for Wget Update: 1.10.2


Alan,

Thanks for the heads up, but next time I'll take the notice without the lip, thank you.

Harold

Alan Dobkin wrote:
FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):


The latest stable version of Wget is 1.10.2. This release contains
fixes for a major security problem: a remotely exploitable buffer
overflow vulnerability in the NTLM authentication code. All Wget users
are strongly encouraged to upgrade their Wget installation to the last
release.



http://www.mail-archive.com/wget@sunsite.dk/msg08295.html

http://www.mail-archive.com/wget@sunsite.dk/msg08300.html

It seems that Harold Hunt is the new wget maintainer, and I do not wish
to take his place, but new releases such as this (especially security
updates that affect Windows) should be provided in a timely manner.

Thanks,
Alan

P. S. -- Apparently this is the same bug that also affected cURL, which
has no current maintainer....


On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:


cURL is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.

Solution: upgrade to 7.15.0.

Workaround until solved:
Disable NTLM authentication by not using the --anyauth or --ntlm
options when using cURL (the command line version). Workarounds for
programs that use the cURL library depend on the configuration options
presented by those programs.

http://security.gentoo.org/glsa/glsa-200510-19.xml
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
http://www.idefense.com/application/poi/display?id=322&type=vulnerabilities


Yaakov




Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]