Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear lovely release team, TL;DR: # CVE-2014-4887 unblock wget/1.16-1 age-days 2 wget/1.16-1 wget 1.16 in unstable currently fixes CVE-2014-4887: Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. This is rather a rather nasty security bug, so should probably get into testing a) before the freeze (which it won't do at the moment) and b) before it gets tangled in the nettle transition (which hopefully won't happen, but you know what happens sometimes with transitions...) Thanks! Neil -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (650, 'testing'), (500, 'testing-updates'), (500, 'testing-proposed-updates'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --
signature.asc
Description: Digital signature
