Advisories » MGASA-2014-0431

Updated wget packages fix CVE-2014-4877

Publication date: 28 Oct 2014
Modification date: 28 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-4877

Description

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves the
pointed-to file in such a retrieval. The old behaviour can be attained by
passing the --retr-symlinks=no option to the wget command.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14386
• https://bugzilla.redhat.com/show_bug.cgi?id=1139181
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877

SRPMS

3/core

• wget-1.14-2.2.mga3

4/core

• wget-1.14-4.2.mga4