Joined: 12 May 2004
|Posted: Tue Jul 11, 2017 1:26 pm Post subject: [ GLSA 201706-16 ] GNU Wget
|Gentoo Linux Security Advisory
Title: GNU Wget: Header injection (GLSA 201706-16)
A header injection vulnerability in GNU Wget might allow remote
attackers to inject arbitrary HTTP headers.
GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.
Vulnerable: < 1.19.1-r1
Unaffected: >= 1.19.1-r1
Architectures: All supported architectures
It was discovered that there was a header injection vulnerability in GNU
Wget which allowed remote attackers to inject arbitrary HTTP headers via
CRLF sequences in the host subcomponent of a URL.
A remote attacker could inject arbitrary HTTP headers in requests by
tricking a user running GNU Wget into processing crafted URLs.
There is no known workaround at this time.
All GNU Wget users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/wget-1.19.1-r1"