[ANNOUNCEMENT] Updated: wget 1.20.3

Brian Inglis Brian.Inglis@SystematicSW.ab.ca
Mon Nov 9 22:35:40 GMT 2020

The following packages have been upgraded in the Cygwin distribution:

* wget	1.20.3

This was the last release of wget, unless urgent high priority security patches
are required. Future development will be against the successor project wget2. 

GNU Wget is a file retrieval utility which can use either
the HTTP, HTTPS, or FTP protocols. Wget features include the ability
to work in the background while you're logged out, recursive retrieval
of directories, file name wildcard matching, remote file timestamp
storage and comparison, use of Rest with FTP servers and Range with
HTTP servers to retrieve files over slow or unstable connections,
support for Proxy servers, and configurability.

For more information, please see the project home page.


Summary of changes since last release wget 1.19.1:

* fix CVE-2018-0494, CVE-2017-13089, CVE-2017-13090
* fix buffer overflow vulnerability and segfault
* fixed multiple potential resource leaks, memory leaks, buffer and integer
* support TLSv1.3 ciphers, libpcre2 regex pattern matching
* NTLM authentication retry certain cases
* add new options --ciphers, --compression,  --retry-on-host-error
* add --[no]-netrc to control .netrc parsing including GNU extensions, fix
  Windows detection
* fixed --xattr issues
* decompress GZip'ed pages, prevent erroneous decompression with broken servers
* support for HTTP 308 Permanent Redirect response
* Improved IDNA 2003 compatibility
* will now not create an empty wget-log file when running with -q and -b

For more details see /usr/share/doc/wget/NEWS or below:

* Changes in Wget 1.20.3

--  Fixed a buffer overflow vulnerability

* Changes in Wget 1.20.2

--  NTLM authentication will retry under certain cases

* Changes in Wget 1.20.1

--  --xattr is no longer default since it introduces privacy issues.
--  --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment
   are no longer saved to prevent privacy issues.
--  --xattr saves the Original URL without user/password to prevent
   privacy issues.

* Changes in Wget 1.20

--  Add new option `--retry-on-host-error` to treat local errors as transient
    and hence Wget will retry to download the file after a brief waiting period.
--  Fixed multiple potential resource leaks as found by static analysis
--  Wget will now not create an empty wget-log file when running with -q and -b
    switches together
--  When compiled using the GnuTLS >= 3.6.3, Wget now has support for TLSv1.3
--  Now there is support for using libpcre2 for regex pattern matching
--  When downloading over FTP recursively, one can now use the
    --{accept,reject}-regex switches to fine-tune the downloaded files
--  Building Wget from the git sources now requires autoconf 2.63 or above.
    Building from the Tarballs works as it used to.

* Changes in Wget 1.19.5

--  Fix cookie injection (CVE-2018-0494)
--  Enable TLS1.3 with recent OpenSSL environment
--  New option --ciphers to set GnuTLS / OpenSSL ciphers directly
--  Updated CSS grammar to CSS 2.2
--  Fixed several memleaks found by OSS-Fuzz
--  Fixed several buffer overflows found by OSS-Fuzz
--  Fixed several integer overflows found by OSS-Fuzz
--  Several minor bug fixes

* Changes in Wget 1.19.4

--  A major bug that caused GZip'ed pages to never be decompressed has been fixed
--  Support for Content-Encoding and Transfer-Encoding have been marked as
    experimental and disabled by default

* Changes in Wget 1.19.3

--  Prevent erroneous decompression of .gz and .tgz files with broken servers
--  Added support for HTTP 308 Permanent Redirect response
--  Fix a segfault in some cases where the Content-Type header is not sent
--  Support OpenSSL 1.1 builds without using deprecated features
--  Fix netrc file detection on Windows
--  Several minor bug fixes

* Changes in Wget 1.19.2

--  Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling)
--  Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling)
--  New option --compression for gzip Content-Encoding
--  New option --[no]-netrc to control .netrc parsing
--  Added GNU extensions to .netrc parsing
--  Improved IDNA 2003 compatibility
--  Fix VPATH issues
--  Improved and extended the test suite
--  Support Wayback Machine's X-Archive-Orig-last-modified
--  Several bug fixes

More information about the Cygwin mailing list