[<prev] [next>] [day] [month] [year] [list]
Message-ID: <80e97dca-79ed-429f-b041-355db8f3be72@oracle.com>
Date: Mon, 18 Nov 2024 11:06:36 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: wget-1.25.0 released [fixes CVE-2024-10524]
The JFrog Security Research Team has posted about this vulnerability in:
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
They say:
"The vulnerability, later assigned CVE-2024-10524, may lead to various types of
attacks – including phishing, SSRF, and MiTM. These attacks can have severe
consequences such as resource restriction bypass and sensitive information
exposure."
and
"It has been discovered that when using the HTTP shorthand format with user-
provided input, unexpected behavior may occur. Wget might issue an FTP request
to a different host – a potentially attacker-controlled host or a restricted
host which the user normally does not have access to. This SSRF vulnerability
can be the starting point for many types of attacks."
-------- Forwarded Message --------
Subject: wget-1.25.0 released [stable]
Date: Mon, 11 Nov 2024 16:36:47 +0100
From: Darshit Shah <darnir@....org>
To: info-gnu@....org
CC: coordinator@...nslationproject.org, bug-wget@....org
I'm glad to announce wget-1.25.0, a new stable release.
GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP,
the most widely-used Internet protocols. It is a non-interactive command-line tool,
so it may easily be called from scripts, cron jobs, terminals without X Window System support, etc.
There are two breaking changes in this release.
The first and more important one is that the shorthand format for both HTTP
and FTP URLs has been entirely removed. This format was previously deprecated
and is now no longer supported. This means invocations of the form:
```
$ wget username:password@...erver
```
will now result in a URL error. Users must use the full form:
```
$ wget http://username:password@...erver
```
The other breaking change is that input file reads are now non-blocking.
Suppose you used the following invocation
```
$ print_urls | wget -i-
```
to retrieve a list of URLs provided to Wget on stdin. Previously, wget would
attempt to read everything it could at the beginning, close stdin and retrieve
all URLs. With 1.25.0, Wget will continuously keep reading from the pipe until
the other end closes the pipe.
This feature is currently not available on Windows.
There were other minor changes and stability improvements.
There have been 46 commits by 3 people in the 35 weeks since 1.24.5.
See the NEWS below for a brief summary.
Thanks to everyone who has contributed!
The following people contributed changes to this release:
Darshit Shah (13)
Sam James (2)
Tim Rühsen (31)
Darshit
[on behalf of the wget maintainers]
==================================================================
Here is the GNU wget home page:
https://gnu.org/s/wget/
For a summary of changes and contributors, see:
https://git.sv.gnu.org/gitweb/?p=wget.git;a=shortlog;h=v1.25.0
or run this command from a git-cloned wget directory:
git shortlog v1.24.5..v1.25.0
Here are the compressed sources:
https://ftpmirror.gnu.org/wget/wget-1.25.0.tar.gz (5.1MB)
https://ftpmirror.gnu.org/wget/wget-1.25.0.tar.lz (2.5MB)
Here are the GPG detached signatures:
https://ftpmirror.gnu.org/wget/wget-1.25.0.tar.gz.sig
https://ftpmirror.gnu.org/wget/wget-1.25.0.tar.lz.sig
Use a mirror for higher download bandwidth:
https://www.gnu.org/order/ftp.html
Here are the SHA1 and SHA256 checksums:
939b74b0759a2e5f57ec9ac12f5b4403fd9cf5cf wget-1.25.0.tar.gz
dm5IQj55NZ6jHkHbnlwolnWUen/PLv3O23JqydDaN4Q= wget-1.25.0.tar.gz
ca79e61fbf1d32133f60ef7c7d476b250b6da423 wget-1.25.0.tar.lz
GSJcx1awoIj8gRSNxqQKDI8ymvf9hIPxx7L+UPTgih8= wget-1.25.0.tar.lz
Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.
Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify wget-1.25.0.tar.gz.sig
The signature should match the fingerprint of the following key:
pub rsa4096 2015-10-14 [SC]
7845 120B 07CB D8D6 ECE5 FF2B 2A17 43ED A91A 35B6
uid Darshit Shah <gpg@...nir.net>
uid Darshit Shah <darnir@....org>
If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.
gpg --locate-external-key gpg@...nir.net
gpg --recv-keys 64FF90AAE8C70AF9
wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=wget&download=1' | gpg --import -
As a last resort to find the key, you can try the official GNU
keyring:
wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
gpg --keyring gnu-keyring.gpg --verify wget-1.25.0.tar.gz.sig
This release was bootstrapped with the following tools:
Autoconf 2.72
Automake 1.17
Gnulib v1.0-1057-g74b6a2a738
NEWS
* Noteworthy changes in release 1.25.0 (2024-11-10) [stable]
** [Breaking change] Drop support for shorthand FTP URLs (CVE-2024-10524)
** [Breaking change] Switch to continuous reading from stdin pipes
** Reimplement user-info parsing based on RFC 2396
** Fix a build issue with libproxy and --disable-debug
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
