Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: wget
Date: Fri, 20 Dec 2002 17:20:28
Message-Id: 20021220171602.568AB576B@mail2.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200212-7
6 - - --------------------------------------------------------------------
7
8 PACKAGE : wget
9 SUMMARY : directory traversal
10 DATE    : 2002-12-20 17:12 UTC
11 EXPLOIT : remote
12
13 - - --------------------------------------------------------------------
14
15 Quote from advisory
16
17 "A malicious server could potentially overwrite key files to cause a
18 denial of service or, in some cases, gain privileges by modifying
19 executable files. The risk is mitigated because non-default
20 configurations are primarily affected, and the user must be convinced
21 to access the malicious server. However, web-based clients may be
22 more easily exploited."
23
24 Read the full advisory at
25 http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2
26
27 SOLUTION
28
29 It is recommended that all Gentoo Linux users who are running
30 net-misc/wget-1.8.2-r1 and earlier update their systems as follows:
31
32 emerge rsync
33 emerge wget
34 emerge clean
35
36 - - --------------------------------------------------------------------
37 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
38 - - --------------------------------------------------------------------
39 -----BEGIN PGP SIGNATURE-----
40 Version: GnuPG v1.2.1 (GNU/Linux)
41
42 iD8DBQE+A1BVfT7nyhUpoZMRAitfAJ0ZuwvlTRZnBP9rzfRPE51L7Qm3MwCfUXLn
43 4QPk2v8r54aB+53CPAwIFhk=
44 =RLsN
45 -----END PGP SIGNATURE-----