[Bug-wget] wget-1.20.1 released [stable]

[Tim Rühsen]

Hi,

due to some privacy issues in default settings of Wget, we introduce
this bugfix release.

The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.

We changed three details as a countermeasure, see below in the NEWS section.

With Best Regards, Tim


Here are the compressed sources and a GPG detached signature[*]:
  https://ftp.gnu.org/gnu/wget/wget-1.20.1.tar.gz
  https://ftp.gnu.org/gnu/wget/wget-1.20.1.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://ftpmirror.gnu.org/wget/wget-1.20.1.tar.gz
  https://ftpmirror.gnu.org/wget/wget-1.20.1.tar.gz.sig

Here are the MD5 and SHA1 checksums:

f6ebe9c7b375fc9832fb1b2028271fb7  wget-1.20.1.tar.gz
4b1ade04ee7ff30181357e0c66b5ac74e39f79b3  wget-1.20.1.tar.gz

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify wget-1.20.1.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

  gpg --keyserver keys.gnupg.net --recv-keys 0x08302DB6A2670428

and rerun the 'gpg --verify' command.

NEWS

* Changes in Wget 1.20.1

** --xattr is no longer default since it introduces privacy issues.

** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
   are no longer saved to prevent privacy issues.

** --xattr saves the Original URL without user/password to prevent
   privacy issues.

signature.asc
Description: OpenPGP digital signature