Ubuntu Security Notice USN-982-1
2nd September, 2010
wget vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS
Software description
- wget
Details
It was discovered that Wget would use filenames provided by the server when
following 3xx redirects. If a user or automated system were tricked into
downloading a file from a malicious site, a remote attacker could create
the file with an arbitrary name (e.g. .wgetrc), and possibly run arbitrary
code.
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 10.04 LTS:
- wget 1.12-1.1ubuntu2.1
- Ubuntu 9.10:
- wget 1.11.4-2ubuntu2.1
- Ubuntu 9.04:
- wget 1.11.4-2ubuntu1.2
- Ubuntu 8.04 LTS:
- wget 1.10.2-3ubuntu1.2
- Ubuntu 6.06 LTS:
- wget 1.10.2-1ubuntu1.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
ATTENTION: This update changes previous behaviour by ignoring the filename
supplied by the server during redirects. To re-enable previous behaviour,
use the new --trust-server-names option.