Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 23 Nov 2014, 17:27
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Critical vulnerability in pre-1.16 versions of wget fixed
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [31 Posts]   Goto page: 1, 2, 3 Next
Author Message
l0wt3ch

Joined: 23 Apr 2014
Posts: 56

PostPosted: Fri 31 Oct 2014, 02:48    Post subject:  Critical vulnerability in pre-1.16 versions of wget fixed  

Critical vulnerability discovered in wget. New, fixed, verson, tested on Slacko 5.7:

wget-1.16
Back to top
View user's profile Send private message 
darry1966

Joined: 26 Feb 2012
Posts: 533
Location: New Zealand

PostPosted: Fri 31 Oct 2014, 03:33    Post subject: Re: Critical vulnerability in pre-1.16 versions of wget fixed  

l0wt3ch wrote:
Critical vulnerability discovered in wget. New, fixed, verson, tested on Slacko 5.7:

wget-1.16


Does this version of wget in Puppy Linux 4 and Wary etc????????

Last edited by darry1966 on Fri 31 Oct 2014, 19:55; edited 1 time in total
Back to top
View user's profile Send private message 
l0wt3ch

Joined: 23 Apr 2014
Posts: 56

PostPosted: Fri 31 Oct 2014, 04:29    Post subject:  

All current and past versions of Puppy are affected.

The .pet has only been tested on Slacko.
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 4047
Location: World_Hub

PostPosted: Fri 31 Oct 2014, 05:30    Post subject:  

l0wt3ch, while the updated build is appreciated, the announcement belongs in our security forum.

Lucid, Precise *patched* versions here >> https://launchpad.net/ubuntu/+source/wget

Slacko >> http://slackware.cs.utah.edu/pub/slackware/slackware-14.0/patches/packages
Quote:
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/wget-1.14-i486-3_slack14.1.txz: Rebuilt.
This update fixes a symlink vulnerability that could allow an attacker
to write outside of the expected directory.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
(* Security fix *)
+--------------------------+

_________________
>>>Punctuation Crash Course<<<
Back to top
View user's profile Send private message 
l0wt3ch

Joined: 23 Apr 2014
Posts: 56

PostPosted: Fri 31 Oct 2014, 06:33    Post subject:  

Semme wrote:
l0wt3ch, while the updated build is appreciated, the announcement belongs in our security forum.


Oops! Embarassed
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 4047
Location: World_Hub

PostPosted: Fri 31 Oct 2014, 07:52    Post subject:  

Wink Hey, not a biggie, but, that's where it'll get noticed. This forum's otherwise fine for all non-security related upgrades.
_________________
>>>Punctuation Crash Course<<<
Back to top
View user's profile Send private message 
Bert


Joined: 30 Jun 2006
Posts: 974

PostPosted: Fri 31 Oct 2014, 08:40    Post subject:  

Thanks for this l0wt3ch,

It does not seem to work in Precise 5.7.2:

Code:
wget: error while loading shared libraries: libgnutls.so.28: cannot open shared object file: No such file or directory


It is also much bigger than the installed wget 1.13.4. (362k installed) Probably because all locales and the manual are included.

PPM does not find libgnutls.so.28. Pfind says libgnutl.so.26 is installed.

A search on the net was quickly ended, I started to drown in a morass of complexity and extra dependencies.
A guru will be needed Smile

_________________


Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 4047
Location: World_Hub

PostPosted: Fri 31 Oct 2014, 08:57    Post subject:  

Bert >> no guru, just re-read my post. Remove the one you grabbed and install this one.
_________________
>>>Punctuation Crash Course<<<
Back to top
View user's profile Send private message 
Bert


Joined: 30 Jun 2006
Posts: 974

PostPosted: Fri 31 Oct 2014, 09:21    Post subject:  

Ah, the art of careful reading... ( Embarassed )

Thank you Semme!

_________________


Back to top
View user's profile Send private message 
l0wt3ch

Joined: 23 Apr 2014
Posts: 56

PostPosted: Fri 31 Oct 2014, 09:34    Post subject:  

Quote:
The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.

"Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch," Moore said.
Back to top
View user's profile Send private message 
darry1966

Joined: 26 Feb 2012
Posts: 533
Location: New Zealand

PostPosted: Fri 31 Oct 2014, 19:57    Post subject:  

Sorry I mean't to ask if this patch works in puppy 4 and Wary.
Last edited by darry1966 on Fri 31 Oct 2014, 22:45; edited 1 time in total
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 72
Location: N.E. USA

PostPosted: Fri 31 Oct 2014, 20:43    Post subject:  

l0wt3ch

I have the tar.gz release from gnu org.

Are there any "directory" mods needed to the gnu org release? If there are many, ya don't have to list them... I was about to install to usr/bin as a test.

Where does the pet install?

_________________
Linux user #498913
Back to top
View user's profile Send private message 
l0wt3ch

Joined: 23 Apr 2014
Posts: 56

PostPosted: Fri 31 Oct 2014, 23:57    Post subject:  

The package I posted is just the 1.16 version of wget.

It's been tested on Slacko 5.7 only.
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 4047
Location: World_Hub

PostPosted: Sat 01 Nov 2014, 05:42    Post subject:  

Here..
install_dirs.txt.gz
Description 
gz

 Download 
Filename  install_dirs.txt.gz 
Filesize  1.04 KB 
Downloaded  13 Time(s) 

_________________
>>>Punctuation Crash Course<<<
Back to top
View user's profile Send private message 
Dingo


Joined: 11 Dec 2007
Posts: 1423
Location: somewhere at the end of rainbow...

PostPosted: Sat 01 Nov 2014, 10:23    Post subject: wget 1.16 for puppy 3.01
Subject description: wget 1.16 for puppy 3.01
 

wget 1.16 for puppy 3.01
wget-1.16-i486.pet for puppy 3.01

- compressed with upx (273 KB)
- without nls
Code:
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 +iri +large-file -nls -ntlm +opie -psl +ssl/gnutls

Wgetrc:
    /root/.wgetrc (user)
    /usr/etc/wgetrc (system)
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2
Link:
    gcc -g -O2 /usr/lib/libgnutls.so /usr/lib/libgcrypt.so
    /usr/lib/libgpg-error.so /usr/lib/libz.a /usr/lib/libnsl.so -lz
    -lidn -luuid -lpcre -lrt ftp-opie.o gnutls.o ../lib/libgnu.a

_________________
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 3 [31 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0833s ][ Queries: 12 (0.0133s) ][ GZIP on ]