[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] GNU wget 1.18 released
From: |
Giuseppe Scrivano |
Subject: |
[Bug-wget] GNU wget 1.18 released |
Date: |
Thu, 09 Jun 2016 18:57:12 +0200 |
Hello,
We are pleased to announce the new version of GNU wget.
This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget. The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.
On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file. To keep the previous behaviour the user must
provide --trust-server-names.
The new version is available for download here:
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz
and the GPG detached signatures using the key E163E1EA:
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.gz.sig
ftp://ftp.gnu.org/gnu/wget/wget-1.18.tar.xz.sig
To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:
http://ftpmirror.gnu.org/wget/wget-1.18.tar.gz
http://ftpmirror.gnu.org/wget/wget-1.18.tar.xz
Noteworthy changes:
* By default, on server redirects to a FTP resource, use the original
URL to get the local file name. Close CVE-2016-4971. This
introduces a backward-incompatibility for HTTP->FTP redirects and
any script that relies on the old behaviour must use
--trust-server-names.
* Check the HSTS file is not world-writable before using it.
* Parse <img srcset> attributes on a recursive download.
* Fix problem with SNI server names having trailing dot(s)
* New options --bind-dns-address and --dns-servers.
* When Wget is built with libiconv, it now converts non-ASCII URIs to
the locale's codeset when it creates files. The encoding of the
remote files and URIs is taken from --remote-encoding, defaulting to
UTF-8. The result is that non-ASCII URIs and files downloaded via
HTTP/HTTPS and FTP will have names on the local filesystem that
correspond to their remote names.
Please report any problem you may experience to the address@hidden
mailing list.
For the maintainers of wget,
Giuseppe
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-wget] GNU wget 1.18 released,
Giuseppe Scrivano <=