bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] GNU wget 1.18 released


From: Giuseppe Scrivano
Subject: [Bug-wget] GNU wget 1.18 released
Date: Thu, 09 Jun 2016 18:57:12 +0200

Hello,

We are pleased to announce the new version of GNU wget.

This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names.

The new version is available for download here:

ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz

and the GPG detached signatures using the key E163E1EA:

ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz.sig
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz.sig

To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:

http://ftpmirror.gnu.org/wget/wget-1.18.tar.gz
http://ftpmirror.gnu.org/wget/wget-1.18.tar.xz

Noteworthy changes:

* By default, on server redirects to a FTP resource, use the original
  URL to get the local file name. Close CVE-2016-4971.  This
  introduces a backward-incompatibility for HTTP->FTP redirects and
  any script that relies on the old  behaviour must use
  --trust-server-names.

* Check the HSTS file is not world-writable before using it.

* Parse <img srcset> attributes on a recursive download.

* Fix problem with SNI server names having trailing dot(s)

* New options --bind-dns-address and --dns-servers.

* When Wget is built with libiconv, it now converts non-ASCII URIs to
  the locale's codeset when it creates files.  The encoding of the
  remote files and URIs is taken from --remote-encoding, defaulting to
  UTF-8.  The result is that non-ASCII URIs and files downloaded via
  HTTP/HTTPS and FTP will have names on the local filesystem that
  correspond to their remote names.

Please report any problem you may experience to the address@hidden
mailing list.

For the maintainers of wget,
Giuseppe



reply via email to

[Prev in Thread] Current Thread [Next in Thread]