USN-982-1: Wget vulnerability

Ubuntu Security Notice USN-982-1

2nd September, 2010

wget vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • wget

Details

It was discovered that Wget would use filenames provided by the server when
following 3xx redirects. If a user or automated system were tricked into
downloading a file from a malicious site, a remote attacker could create
the file with an arbitrary name (e.g. .wgetrc), and possibly run arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 10.04 LTS:
wget 1.12-1.1ubuntu2.1
Ubuntu 9.10:
wget 1.11.4-2ubuntu2.1
Ubuntu 9.04:
wget 1.11.4-2ubuntu1.2
Ubuntu 8.04 LTS:
wget 1.10.2-3ubuntu1.2
Ubuntu 6.06 LTS:
wget 1.10.2-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

ATTENTION: This update changes previous behaviour by ignoring the filename
supplied by the server during redirects. To re-enable previous behaviour,
use the new --trust-server-names option.

References

CVE-2010-2252