NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/wget: security bump version to 1.25.0

Browse Source 
Release notes:
https://lists.gnu.org/archive/html/bug-wget/2024-11/msg00002.html

Fixes the following vulnerabilities:

- CVE-2024-38428: url.c in GNU Wget through 1.24.5 mishandles semicolons in
  the userinfo subcomponent of a URI, and thus there may be insecure
  behavior in which data that was supposed to be in the userinfo
  subcomponent is misinterpreted to be part of the host subcomponent.

  https://nvd.nist.gov/vuln/detail/CVE-2024-38428

- CVE-2024-10524: Applications that use Wget to access a remote resource
  using shorthand URLs and pass arbitrary user credentials in the URL are
  vulnerable.  In these cases attackers can enter crafted credentials which
  will cause Wget to access an arbitrary host.

  https://www.openwall.com/lists/oss-security/2024/11/18/6

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 295b2c4f8ecaf0b6e03725a6c8412795e91888c8)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Bernd Kuhls 2024-12-11 20:29:12 +01:00 committed by Peter Korsgaard
parent 27914e481d
commit 79299da8c4
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
package/wget/wget.hash
View File

@ -1,8 +1,8 @@
# From https://lists.gnu.org/archive/html/bug-wget/2024-03/msg00008.html
sha1 01659f427c2e90c7c943805db69ea00f5da79b07 wget-1.24.5.tar.lz
# From https://lists.gnu.org/archive/html/bug-wget/2024-11/msg00002.html
sha1 ca79e61fbf1d32133f60ef7c7d476b250b6da423 wget-1.25.0.tar.lz
# Locally calculated after checking pgp signature
# https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.lz.sig
# https://ftp.gnu.org/gnu/wget/wget-1.25.0.tar.lz.sig
# with key 6B98F637D879C5236E277C5C64FF90AAE8C70AF9
sha256 57a107151e4ef94fdf94affecfac598963f372f13293ed9c74032105390b36ee wget-1.24.5.tar.lz
sha256 19225cc756b0a088fc81148dc6a40a0c8f329af7fd8483f1c7b2fe50f4e08a1f wget-1.25.0.tar.lz
# Locally calculated
sha256 f7dc7522e7e1be9227f3dc8de8b39a4d1d2471968c893af15f00c1a2076a0eec COPYING

2
package/wget/wget.mk
View File

@ -4,7 +4,7 @@
#
################################################################################
WGET_VERSION = 1.24.5
WGET_VERSION = 1.25.0
WGET_SOURCE = wget-$(WGET_VERSION).tar.lz
WGET_SITE = $(BR2_GNU_MIRROR)/wget
WGET_DEPENDENCIES = host-pkgconf