From owner-freebsd-ports@FreeBSD.ORG Thu Oct 20 11:51:31 2005 Return-Path: X-Original-To: ports@FreeBSD.org Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3E7C16A41F; Thu, 20 Oct 2005 11:51:31 +0000 (GMT) (envelope-from laszlof@vonostingroup.com) Received: from ritamari.vonostingroup.com (ritamari.vonostingroup.com [216.144.193.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB2E243D66; Thu, 20 Oct 2005 11:51:28 +0000 (GMT) (envelope-from laszlof@vonostingroup.com) Received: from pcp02452302pcs.waldlk01.mi.comcast.net ([68.60.60.7] helo=[192.168.0.5]) by ritamari.vonostingroup.com with esmtpa (Exim 4.54 (FreeBSD)) id 1ESYxD-000B8R-S6; Thu, 20 Oct 2005 07:51:28 -0400 Message-ID: <4357848D.2030109@vonostingroup.com> Date: Thu, 20 Oct 2005 07:50:37 -0400 From: "Frank J. Laszlo" User-Agent: Mozilla Thunderbird 1.0 (X11/20041207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Joel Hatton References: <200510200409.j9K49T9h002380@app.auscert.org.au> In-Reply-To: <200510200409.j9K49T9h002380@app.auscert.org.au> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ritamari.vonostingroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - vonostingroup.com X-Source: X-Source-Args: X-Source-Dir: Cc: ports@FreeBSD.org, sf@FreeBSD.org, freebsd-security@auscert.org.au Subject: Re: wget/curl vul X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 11:51:32 -0000 Joel Hatton wrote: >Hi Frank, > > >>freebsd-security@auscert.org.au wrote: >> >>>Hi, >>> >>>Are plans afoot to upgrade wget soon? >>> >>> >>ftp/wget was updated on 8/28/05. and ftp/curl on 10/14/05. cvsup your ports. >> > >I do. Regularly. I've also done so in the last 5 minutes. Wget has a >vulnerability that was corrected at 1.10.2; the port still sources 1.10.1, >and has no patch that appears to correct this. According to: > >http://www.gnu.org/software/wget/wget.html > >"The latest stable version of Wget is 1.10.2. This release contains fixes >for a major security problem: a remotely exploitable buffer overflow >vulnerability in the NTLM authentication code. All Wget users are strongly >encouraged to upgrade their Wget installation to the last release." > >Are plans afoot to upgrade wget to 1.10.2 soon? Otherwise, I'd like to >know if you believe that the FreeBSD port as it stands is not vulnerable. > > My mistake, I only read part of the vulnerability report. If the maintainer hasnt allready, I'll submit an update for wget. Regards, Frank Laszlo