From owner-freebsd-ports@FreeBSD.ORG  Thu Oct 20 04:09:36 2005
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@FreeBSD.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CE15D16A41F;
	Thu, 20 Oct 2005 04:09:36 +0000 (GMT)
	(envelope-from joel@auscert.org.au)
Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C5DDB43D6A;
	Thu, 20 Oct 2005 04:09:35 +0000 (GMT)
	(envelope-from joel@auscert.org.au)
Received: from app.auscert.org.au (app [10.0.1.192])
	by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id
	j9K48hio067036; Thu, 20 Oct 2005 14:08:43 +1000 (EST)
Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1])
	by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j9K49T9h002380;
	Thu, 20 Oct 2005 14:09:31 +1000 (EST)
	(envelope-from joel@app.auscert.org.au)
Message-Id: <200510200409.j9K49T9h002380@app.auscert.org.au>
To: "Frank J. Laszlo" <laszlof@vonostingroup.com>
In-Reply-To: Message from "Frank J. Laszlo" <laszlof@vonostingroup.com> 
	of "Wed,
	19 Oct 2005 20:49:06 -0400." <4356E982.6020501@vonostingroup.com> 
Date: Thu, 20 Oct 2005 14:09:29 +1000
From: Joel Hatton <joel@auscert.org.au>
Cc: ports@FreeBSD.org, sf@FreeBSD.org, freebsd-security@auscert.org.au
Subject: Re: wget/curl vul 
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2005 04:09:37 -0000

Hi Frank,

> freebsd-security@auscert.org.au wrote:
> >Hi,
> >
> >Are plans afoot to upgrade wget soon?
> >  
> ftp/wget was updated on 8/28/05. and ftp/curl on 10/14/05. cvsup your ports.

I do. Regularly. I've also done so in the last 5 minutes. Wget has a
vulnerability that was corrected at 1.10.2; the port still sources 1.10.1,
and has no patch that appears to correct this. According to:

http://www.gnu.org/software/wget/wget.html

"The latest stable version of Wget is 1.10.2. This release contains fixes
for a major security problem: a remotely exploitable buffer overflow
vulnerability in the NTLM authentication code. All Wget users are strongly
encouraged to upgrade their Wget installation to the last release."

Are plans afoot to upgrade wget to 1.10.2 soon?  Otherwise, I'd like to
know if you believe that the FreeBSD port as it stands is not vulnerable.

thanks,
-- Joel Hatton --
Security Analyst                    | Hotline: +61 7 3365 4417
AusCERT - Australia's national CERT | Fax:     +61 7 3365 7031
The University of Queensland        | WWW:     www.auscert.org.au
Qld 4072 Australia                  | Email:   auscert@auscert.org.au