Mageia 2019-0015: wget security update
Summary
Since version 1.19 Wget stores the URL and in certain cases the
'Referer' URL within extended attributes (xattrs) of the file system
- by default.
This includes username + password and other credentials or private data
*if* those have been used within the URLs. Anyone with read access to
those files might also read the xattrs and might use the data.
Wget 1.20.1 or higher will not use xattrs by default any more. To enable
it again you have to use the --xattr option or xattr command for .wgetrc
files. (CVE-2018-20483)
References
- https://bugs.mageia.org/show_bug.cgi?id=24109
- https://www.openwall.com/lists/oss-security/2019/01/01/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
Resolution
MGASA-2019-0015 - Updated wget packages fix security vulnerability
SRPMS
- 6/core/wget-1.20.1-1.mga6