1
PublicDateAtUSN: 2014-10-29
2
Candidate: CVE-2014-4877
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
6
http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
7
https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
8
https://usn.ubuntu.com/usn/usn-2393-1
10
Absolute path traversal vulnerability in GNU Wget before 1.16, when
11
recursion is enabled, allows remote FTP servers to write to arbitrary
12
files, and consequently execute arbitrary code, via a LIST response that
13
references the same filename within two entries, one of which indicates
14
that the filename is for a symlink.
18
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766981
19
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-4877
21
Discovered-by: HD Moore
25
upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
26
upstream: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c
27
upstream_wget: released (1.16)
28
lucid_wget: released (1.12-1.1ubuntu2.2)
29
precise_wget: released (1.13.4-2ubuntu1.2)
30
trusty_wget: released (1.15-1ubuntu1.14.04.1)
31
utopic_wget: released (1.15-1ubuntu1.14.10.1)
32
devel_wget: released (1.16-1ubuntu1)