Advisories ยป MGASA-2014-0431

Updated wget packages fix CVE-2014-4877

Publication date: 28 Oct 2014
Modification date: 28 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-4877

Description

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves the
pointed-to file in such a retrieval. The old behaviour can be attained by
passing the --retr-symlinks=no option to the wget command.
                

References

SRPMS

3/core

4/core