As you might have seen, the new release 1.20.1 of GNU Wget addresses CVE-2018-20483 [1].
The issue is that since 1.19 Wget stores the URL and in certain cases the 'Referer' URL within extended attributes (xattrs) of the file system - by default. This includes username + password and other credentials or private data *if* those have been used within the URLs. Anyone with read access to those files might also read the xattrs and might use the data. Wget 1.20.1 or higher will not use xattrs by default any more. To enable it again you have to use the --xattr option or xattr command for .wgetrc files. To check if files are affected in and below the current directory, you can use the following command (Linux): find . -type f -print0 | LC_ALL=C xargs -0 xattr | \ egrep 'user.xdg.origin.url|user.xdg.referrer.url' To print the contents of 'user.xdg.origin.url': find . -type f -print0 | LC_ALL=C xargs -0 xattr \ -p user.xdg.origin.url 2>/dev/null To print the contents of 'user.xdg.referrer.url': find . -type f -print0 | LC_ALL=C xargs -0 xattr \ -p user.xdg.referrer.url 2>/dev/null To remove the xattrs: find . -type f -print0 | LC_ALL=C xargs -0 xattr \ -d user.xdg.origin.url 2>/dev/null find . -type f -print0 | LC_ALL=C xargs -0 xattr \ -d user.xdg.referrer.url 2>/dev/null E.g. for Debian the 'xattr' command comes with the 'xattr' package. Install by `sudo apt-get install xattr`. I am really sorry for the inconvenience. Please spread the word. With Best Regards, Tim [1] https://security-tracker.debian.org/tracker/CVE-2018-20483
signature.asc
Description: OpenPGP digital signature
