-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Giuseppe Iuculano wrote: > Package: wget > Version: 1.11.4-4 > Severity: grave > Tags: security > > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for wget. > > CVE-2009-3490[0]: > | GNU Wget before 1.12 does not properly handle a '\0' character in a > | domain name in the Common Name field of an X.509 certificate, which > | allows man-in-the-middle remote attackers to spoof arbitrary SSL > | servers via a crafted certificate issued by a legitimate Certification > | Authority, a related issue to CVE-2009-2408.
Please note that upstream has already fixed this in Wget 1.12. If you wish to apply it to Wget 1.11.4 (it should apply pretty cleanly), the relevant changesets at http://hg.addictivecode.org/wget/mainline/ are: 2d8c76a23e7d ( <-- the change itself ) f2d2ca32fd1b ( <-- a message adjustment ) 1eab157d3be7 ( <-- NEWS entry ) - -- HTH, Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer. Maintainer of GNU Wget and GNU Teseq http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrGGFsACgkQ7M8hyUobTrED5wCeK6GVNz/9CZIGzm/zTCbwrJqf 15gAniRRrXdkAvMEK3yc/8F6FlX8FsVG =IogO -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
