Darshit Shah <dar...@gnu.org> writes: > This is to announce wget-1.24.5, a stable release. > > This is another relative slow release with minor bug fixes. The main > one being a correction in how subdomains of Top-Level Domains (TLDs) > are treated when checking for suffixes during HSTS lookups. This is a > very low criticality vulnerability that has now been patched. > > There have been 33 commits by 6 people in the 43 weeks since 1.21.4. > > See the NEWS below for a brief summary. > > Thanks to everyone who has contributed! > The following people contributed changes to this release: > > Christian Weisgerber (1) > Darshit Shah (20) > Jan Palus (1) > Jan-Michael Brummer (1) > Tim Rühsen (9) > Yaakov Selkowitz (1) > > Darshit Shah > [on behalf of the wget maintainers] > ================================================================== > > Here is the GNU wget home page: > https://gnu.org/s/wget/ > > For a summary of changes and contributors, see: > https://git.sv.gnu.org/gitweb/?p=wget.git;a=shortlog;h=v1.24.5 > or run this command from a git-cloned wget directory: > git shortlog v1.21.4..v1.24.5 > > Here are the compressed sources: > https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.gz (5.0MB) > https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.lz (2.5MB) > > Here are the GPG detached signatures: > https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.gz.sig > https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.lz.sig > > Use a mirror for higher download bandwidth: > https://www.gnu.org/order/ftp.html > > Here are the SHA1 and SHA256 checksums: > > 62525de6f09486942831ca2e352ae6802fc2c3dd wget-1.24.5.tar.gz > +i3DW6tRhOy8Rqnvg97yqqo/TJ88l9S9GdywfU2mN94= wget-1.24.5.tar.gz > 01659f427c2e90c7c943805db69ea00f5da79b07 wget-1.24.5.tar.lz > V6EHFR5O+U/flK/+z6xZiWPzcvEyk+2cdAMhBTkLNu4= wget-1.24.5.tar.lz > > Verify the base64 SHA256 checksum with cksum -a sha256 --check > from coreutils-9.2 or OpenBSD's cksum since 2007. > > Use a .sig file to verify that the corresponding file (without the > .sig suffix) is intact. First, be sure to download both the .sig file > and the corresponding tarball. Then, run a command like this: > > gpg --verify wget-1.24.5.tar.gz.sig > > The signature should match the fingerprint of the following key: > > pub rsa4096 2015-10-14 [SC] > 7845 120B 07CB D8D6 ECE5 FF2B 2A17 43ED A91A 35B6 > uid Darshit Shah <g...@darnir.net> > uid Darshit Shah <dar...@gnu.org> > > If that command fails because you don't have the required public key, > or that public key has expired, try the following commands to retrieve > or refresh it, and then rerun the 'gpg --verify' command. > > gpg --locate-external-key g...@darnir.net > > gpg --recv-keys 64FF90AAE8C70AF9 > > wget -q -O- > 'https://savannah.gnu.org/project/release-gpgkeys.php?group=wget&download=1' > | gpg --import - >
The version of your key in this keyring seems to be expired. Could you upload a new one? Thanks. > As a last resort to find the key, you can try the official GNU > keyring: > > wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg > gpg --keyring gnu-keyring.gpg --verify wget-1.24.5.tar.gz.sig > > This release was bootstrapped with the following tools: > Autoconf 2.72 > Automake 1.16.5 > Gnulib v0.1-7211-gd15237a22b > > NEWS > > * Noteworthy changes in release 1.24.5 (2024-03-10) [stable] > > ** Fix how subdomain matches are checked for HSTS. > Fixes a minor issue where cookies may be leaked to the wrong domain > > ** Wget will now also parse the srcset attribute in <source> HTML tags > > ** Support reading fetchmail style "user" and "passwd" fields from netrc > > ** In some cases, prevent the confusing "Cannot write to... (success)" > error messages > > ** Support extremely fast download speeds (TB/s). > Previously this would cause Wget to crash when printing the speed > > ** Improve portability on OpenBSD to run the test suite > > ** Ensure that CSS URLs are corectly quoted (Bug: 64082) > > [2. OpenPGP public key --- application/pgp-keys; > OpenPGP_0x2A1743EDA91A35B6.asc]...
