This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security Advisory and Request for Wget Update: 1.10.2


Thanks for the heads up, but next time I'll take the notice without the lip, thank you.


Alan Dobkin wrote:
FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):

The latest stable version of Wget is 1.10.2. This release contains
fixes for a major security problem: a remotely exploitable buffer
overflow vulnerability in the NTLM authentication code. All Wget users
are strongly encouraged to upgrade their Wget installation to the last

It seems that Harold Hunt is the new wget maintainer, and I do not wish
to take his place, but new releases such as this (especially security
updates that affect Windows) should be provided in a timely manner.


P. S. -- Apparently this is the same bug that also affected cURL, which
has no current maintainer....

On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:

cURL is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.

Solution: upgrade to 7.15.0.

Workaround until solved:
Disable NTLM authentication by not using the --anyauth or --ntlm
options when using cURL (the command line version). Workarounds for
programs that use the cURL library depend on the configuration options
presented by those programs.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]