GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Jul 11, 2017 1:26 pm Post subject: [ GLSA 201706-16 ] GNU Wget |
|
|
Gentoo Linux Security Advisory
Title: GNU Wget: Header injection (GLSA 201706-16)
Severity: normal
Exploitable: remote
Date: 2017-06-20
Bug(s): #612326
ID: 201706-16
Synopsis
A header injection vulnerability in GNU Wget might allow remote
attackers to inject arbitrary HTTP headers.
Background
GNU Wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols.
Affected Packages
Package: net-misc/wget
Vulnerable: < 1.19.1-r1
Unaffected: >= 1.19.1-r1
Architectures: All supported architectures
Description
It was discovered that there was a header injection vulnerability in GNU
Wget which allowed remote attackers to inject arbitrary HTTP headers via
CRLF sequences in the host subcomponent of a URL.
Impact
A remote attacker could inject arbitrary HTTP headers in requests by
tricking a user running GNU Wget into processing crafted URLs.
Workaround
There is no known workaround at this time.
Resolution
All GNU Wget users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/wget-1.19.1-r1"
|
References
CVE-2017-6508 |
|