Date: Thu, 20 Oct 2005 14:09:29 +1000 From: Joel Hatton <joel@auscert.org.au> To: "Frank J. Laszlo" <laszlof@vonostingroup.com> Cc: ports@FreeBSD.org, sf@FreeBSD.org, freebsd-security@auscert.org.au Subject: Re: wget/curl vul Message-ID: <200510200409.j9K49T9h002380@app.auscert.org.au> In-Reply-To: Message from "Frank J. Laszlo" <laszlof@vonostingroup.com> of "Wed, 19 Oct 2005 20:49:06 -0400." <4356E982.6020501@vonostingroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Frank, > freebsd-security@auscert.org.au wrote: > >Hi, > > > >Are plans afoot to upgrade wget soon? > > > ftp/wget was updated on 8/28/05. and ftp/curl on 10/14/05. cvsup your ports. I do. Regularly. I've also done so in the last 5 minutes. Wget has a vulnerability that was corrected at 1.10.2; the port still sources 1.10.1, and has no patch that appears to correct this. According to: http://www.gnu.org/software/wget/wget.html "The latest stable version of Wget is 1.10.2. This release contains fixes for a major security problem: a remotely exploitable buffer overflow vulnerability in the NTLM authentication code. All Wget users are strongly encouraged to upgrade their Wget installation to the last release." Are plans afoot to upgrade wget to 1.10.2 soon? Otherwise, I'd like to know if you believe that the FreeBSD port as it stands is not vulnerable. thanks, -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510200409.j9K49T9h002380>