Security Advisory Moderate: wget security update

Advisory: RHSA-2014:1764-2
Type: Security Advisory
Severity: Moderate
Issued on: 2014-10-30
Last updated on: 2014-10-30
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server AUS (v. 6.6)
Red Hat Enterprise Linux Server EUS (v. 6.6.z)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2014-4877

Details

An updated wget package that fixes one security issue is now available for
Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

The wget package provides the GNU Wget file retrieval utility for HTTP,
HTTPS, and FTP protocols.

A flaw was found in the way Wget handled symbolic links. A malicious FTP
server could allow Wget running in the mirror mode (using the '-m' command
line option) to write an arbitrary file to a location writable to by the
user running Wget, possibly leading to code execution. (CVE-2014-4877)

Note: This update changes the default value of the --retr-symlinks option.
The file symbolic links are now traversed by default and pointed-to files
are retrieved rather than creating a symbolic link locally.

Red Hat would like to thank the GNU Wget project for reporting this issue.
Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter.

All users of wget are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
IA-32:
wget-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: 6ef66059d5840fa002431d5965647169
SHA-256: e24d21cdcd65300a113a24c46f413841fb2808543007d360cb72aa1e1ba774fa
wget-debuginfo-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: d0f58fafd07db9557c5d2cc1cf035cbd
SHA-256: f235ee5f55de2085e4dd64d749e26f20f506c58245c3112c96a73426e6bcaba4
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
wget-1.14-10.el7_0.1.src.rpm
File outdated by:  RHSA-2016:2587
    MD5: f76b403b1ae03a2e3ef66fb28fb57282
SHA-256: ea2a6b80ac94bd77db5608d6e5955a9dc50c9ec7956ae2548f1404abb0639cba
 
x86_64:
wget-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: a3884a3070c8388566c6aeef2ea73aa3
SHA-256: 85596955529dc357e1027276169b43682dee1cd0f1138691dbc28966716b4356
wget-debuginfo-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 74e82b2e0c11bc47fdb53a78a6211534
SHA-256: d8298278dad2950f3930f6056f5d80e5dbd2c3dc7179fa47c192d69d37f12454
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
wget-1.14-10.el7_0.1.src.rpm
File outdated by:  RHSA-2016:2587
    MD5: f76b403b1ae03a2e3ef66fb28fb57282
SHA-256: ea2a6b80ac94bd77db5608d6e5955a9dc50c9ec7956ae2548f1404abb0639cba
 
x86_64:
wget-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: a3884a3070c8388566c6aeef2ea73aa3
SHA-256: 85596955529dc357e1027276169b43682dee1cd0f1138691dbc28966716b4356
wget-debuginfo-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 74e82b2e0c11bc47fdb53a78a6211534
SHA-256: d8298278dad2950f3930f6056f5d80e5dbd2c3dc7179fa47c192d69d37f12454
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
IA-32:
wget-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: 6ef66059d5840fa002431d5965647169
SHA-256: e24d21cdcd65300a113a24c46f413841fb2808543007d360cb72aa1e1ba774fa
wget-debuginfo-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: d0f58fafd07db9557c5d2cc1cf035cbd
SHA-256: f235ee5f55de2085e4dd64d749e26f20f506c58245c3112c96a73426e6bcaba4
 
PPC:
wget-1.12-5.el6_6.1.ppc64.rpm
File outdated by:  RHBA-2017:0661
    MD5: dfb7aaf2b5c449af7e0a512b67359e41
SHA-256: 7fe541d327176cad7b082d7a320e5f1ed93acb41863f4b0985fcbd8d6f36a1b0
wget-debuginfo-1.12-5.el6_6.1.ppc64.rpm
File outdated by:  RHBA-2017:0661
    MD5: a00cea93ac7d72f69dcd086e02e3d432
SHA-256: 5c23af18a9bfae97f85c2383a31d02f175cfb1b43bc4fc8c2f04d879f3c60d23
 
s390x:
wget-1.12-5.el6_6.1.s390x.rpm
File outdated by:  RHBA-2017:0661
    MD5: 2efbd7be10e4b5e53a959b7af964ff6e
SHA-256: b0ea532393cf53169e53500545fed5edab376515bc4d87933189a7570fc6ac91
wget-debuginfo-1.12-5.el6_6.1.s390x.rpm
File outdated by:  RHBA-2017:0661
    MD5: d458697575f5ff7805e1a1161f351b9f
SHA-256: 7ece73b0b25eadcf8a42f077f83abe6aa9ba2a735e71e36c1fd68033b590a38a
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
wget-1.14-10.el7_0.1.src.rpm
File outdated by:  RHSA-2016:2587
    MD5: f76b403b1ae03a2e3ef66fb28fb57282
SHA-256: ea2a6b80ac94bd77db5608d6e5955a9dc50c9ec7956ae2548f1404abb0639cba
 
PPC:
wget-1.14-10.el7_0.1.ppc64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 9c14c88c2e0084733676215801889b48
SHA-256: 7b1912c87b28a7e2038ff592a3b141d4a784c054468d56a62808495d503f6160
wget-debuginfo-1.14-10.el7_0.1.ppc64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 41779069381cbfcdbf9283c491a479fb
SHA-256: adc49afcf6250fde2fac1dd5ed77f94dbaac5ee6e36699d189f570452f33020f
 
s390x:
wget-1.14-10.el7_0.1.s390x.rpm
File outdated by:  RHSA-2016:2587
    MD5: cc2d3772728891cbfcabe30e19a37a08
SHA-256: 986aff77b99ecf16cf9438ab49288be9f41e432a96e86902e74696d0639b9941
wget-debuginfo-1.14-10.el7_0.1.s390x.rpm
File outdated by:  RHSA-2016:2587
    MD5: 4eb8d6b7497ab81da4b3df0b69d039b8
SHA-256: 9646ee52ac024da9f12dab655de363e17ed3441180ffdb5ef4690745965461e4
 
x86_64:
wget-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: a3884a3070c8388566c6aeef2ea73aa3
SHA-256: 85596955529dc357e1027276169b43682dee1cd0f1138691dbc28966716b4356
wget-debuginfo-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 74e82b2e0c11bc47fdb53a78a6211534
SHA-256: d8298278dad2950f3930f6056f5d80e5dbd2c3dc7179fa47c192d69d37f12454
 
Red Hat Enterprise Linux Server AUS (v. 6.6)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm     MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm     MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux Server EUS (v. 6.6.z)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
IA-32:
wget-1.12-5.el6_6.1.i686.rpm     MD5: 6ef66059d5840fa002431d5965647169
SHA-256: e24d21cdcd65300a113a24c46f413841fb2808543007d360cb72aa1e1ba774fa
wget-debuginfo-1.12-5.el6_6.1.i686.rpm     MD5: d0f58fafd07db9557c5d2cc1cf035cbd
SHA-256: f235ee5f55de2085e4dd64d749e26f20f506c58245c3112c96a73426e6bcaba4
 
PPC:
wget-1.12-5.el6_6.1.ppc64.rpm     MD5: dfb7aaf2b5c449af7e0a512b67359e41
SHA-256: 7fe541d327176cad7b082d7a320e5f1ed93acb41863f4b0985fcbd8d6f36a1b0
wget-debuginfo-1.12-5.el6_6.1.ppc64.rpm     MD5: a00cea93ac7d72f69dcd086e02e3d432
SHA-256: 5c23af18a9bfae97f85c2383a31d02f175cfb1b43bc4fc8c2f04d879f3c60d23
 
s390x:
wget-1.12-5.el6_6.1.s390x.rpm     MD5: 2efbd7be10e4b5e53a959b7af964ff6e
SHA-256: b0ea532393cf53169e53500545fed5edab376515bc4d87933189a7570fc6ac91
wget-debuginfo-1.12-5.el6_6.1.s390x.rpm     MD5: d458697575f5ff7805e1a1161f351b9f
SHA-256: 7ece73b0b25eadcf8a42f077f83abe6aa9ba2a735e71e36c1fd68033b590a38a
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm     MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm     MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
wget-1.12-5.el6_6.1.src.rpm
File outdated by:  RHBA-2017:0661
    MD5: f9daf355d55e20af175575d50ae5f09b
SHA-256: d73377c20a96f2b4d887f5b0d0132ff40c52770dd24851bed88fc9c5e120a424
 
IA-32:
wget-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: 6ef66059d5840fa002431d5965647169
SHA-256: e24d21cdcd65300a113a24c46f413841fb2808543007d360cb72aa1e1ba774fa
wget-debuginfo-1.12-5.el6_6.1.i686.rpm
File outdated by:  RHBA-2017:0661
    MD5: d0f58fafd07db9557c5d2cc1cf035cbd
SHA-256: f235ee5f55de2085e4dd64d749e26f20f506c58245c3112c96a73426e6bcaba4
 
x86_64:
wget-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: b535a8f09565abbec099b0d62f192dba
SHA-256: eeaeb4e4f7bd04aa25d192a756b39fa47935cd46116c2461bb5e60637b5568e1
wget-debuginfo-1.12-5.el6_6.1.x86_64.rpm
File outdated by:  RHBA-2017:0661
    MD5: 73aee304801bbe248e03ce985602aec1
SHA-256: a3d70ae848293249cbade130ef5e1b764b28fd5e5d04e5845eff9f92ad01e822
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
wget-1.14-10.el7_0.1.src.rpm
File outdated by:  RHSA-2016:2587
    MD5: f76b403b1ae03a2e3ef66fb28fb57282
SHA-256: ea2a6b80ac94bd77db5608d6e5955a9dc50c9ec7956ae2548f1404abb0639cba
 
x86_64:
wget-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: a3884a3070c8388566c6aeef2ea73aa3
SHA-256: 85596955529dc357e1027276169b43682dee1cd0f1138691dbc28966716b4356
wget-debuginfo-1.14-10.el7_0.1.x86_64.rpm
File outdated by:  RHSA-2016:2587
    MD5: 74e82b2e0c11bc47fdb53a78a6211534
SHA-256: d8298278dad2950f3930f6056f5d80e5dbd2c3dc7179fa47c192d69d37f12454
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1139181 - CVE-2014-4877 wget: FTP symlink arbitrary filesystem access


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/