This is the mail archive of the
mailing list for the Cygwin project.
Re: Security Advisory and Request for Wget Update: 1.10.2
- From: Harold L Hunt II <huntharo at msu dot edu>
- To: Cygwin-Apps Mailing List <Cygwin-Apps at Cygwin dot com>
- Cc: Alan Dobkin <Cygwin at OmniComp dot org>
- Date: Tue, 15 Nov 2005 12:53:21 -0800
- Subject: Re: Security Advisory and Request for Wget Update: 1.10.2
- References: <435BE891.email@example.com> <437A4634.4050504@OmniComp.org>
Thanks for the heads up, but next time I'll take the notice without the
lip, thank you.
Alan Dobkin wrote:
FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):
The latest stable version of Wget is 1.10.2. This release contains
fixes for a major security problem: a remotely exploitable buffer
overflow vulnerability in the NTLM authentication code. All Wget users
are strongly encouraged to upgrade their Wget installation to the last
It seems that Harold Hunt is the new wget maintainer, and I do not wish
to take his place, but new releases such as this (especially security
updates that affect Windows) should be provided in a timely manner.
P. S. -- Apparently this is the same bug that also affected cURL, which
has no current maintainer....
On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:
cURL is vulnerable to a buffer overflow which could lead to the
execution of arbitrary code.
Solution: upgrade to 7.15.0.
Workaround until solved:
Disable NTLM authentication by not using the --anyauth or --ntlm
options when using cURL (the command line version). Workarounds for
programs that use the cURL library depend on the configuration options
presented by those programs.