BugTraq
[oCERT-2010-001] multiple http client unexpected download filenamevulnerability May 17 2010 12:03PM
Daniele Bianco (danbia ocert org) (1 replies)
Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability Jun 09 2010 04:16PM
Marcus Meissner (meissner suse de) (1 replies)
Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability Jun 11 2010 08:53AM
Solar Designer (solar openwall com)
Hi,

Here's a summary of relevant postings to oss-security and bug-wget.

Unofficial patch for wget, by Florian Weimer:
http://www.openwall.com/lists/oss-security/2010/05/17/2

PoC attack on a wget cron job resulting in a .bash_profile overwrite:
http://www.openwall.com/lists/oss-security/2010/05/18/13

Brief description of an attack on a wget cron job not involving a
dot-file nor a home directory (but involving a website tree instead):
http://lists.gnu.org/archive/html/bug-wget/2010-05/msg00032.html

Advice on back-porting lftp's fix to versions 3.4.7 through 4.0.5:
http://www.openwall.com/lists/oss-security/2010/05/20/2
http://www.openwall.com/lists/oss-security/2010/06/10/1

On Wed, Jun 09, 2010 at 06:16:39PM +0200, Marcus Meissner wrote:
> Did anyone assign CVE ids for these?

Marcus' reminder has resulted in the following CVE assignments:

CVE-2010-2251 - lftp
CVE-2010-2252 - wget
CVE-2010-2253 - libwww-perl as used in lwp-download

Alexander

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus