This version of Wget is vulnerable to an exploit. Please update Wget to
version 1.12.
Exploit advisory url:
Info:
Description:
A vulnerability has been reported in wget, which can be exploited by malicious
people to conduct spoofing attacks.
The vulnerability is caused due to an error when processing SSL certificates
containing NULL ('\0') characters embedded in certain certificate fields and
can be exploited to spoof certificates for legitimate domains.
This is related to vulnerability #2 in:
SA36093
Solution:
Update to version 1.12.
Provided and/or discovered by:
Independently discovered by Dan Kaminsky and Moxie Marlinspike.
Changelog:
2009-09-23: Updated "Solution" section. Added link to "Original
Advisory" section.
2009-10-01: Added CVE reference.
Original Advisory:
Other References:
SA36093:
CVE reference:
CVE-2009-3490
I like this distro of Wget. Keep up the good work!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-10-15
Hmm, I see a slight fault in the logic chain of thought here.
First, one person is concerned about a relatively obscure security problem in
wget that, as far as I understand, doesn't affect the overwhelming majority of
use cases of wget where SSL isn't involved. So, presumably, only slightly
paranoid and/or extremely security-conscious people are concerned, including
people who actually use wget for download of security-sensitive material from
https URLs.
Then somebody else provides a fixed executable of wget, hosted on some site
nobody has ever heard of, not using https, located in the British Indian Ocean
Territory if you believe the TLD, and expects these paranoid and/or extremely
security-conscious people to download and use it.
I hope you see my point‽
If you are afraid of a vulnerability in wget that means somebody can spoof a
SSL certificate, and thus make you download something you didn't intend,
shouldn't you be equally afraid of downloading a compiled wget binary provided
by some random person on the net, who might have inserted code in it to do
something nasty? (And I don't mean just some off-the-shelf malware payload
that anti-malware software would notice.) (No offence to raysatiro; I am also
just another random person on the net.)
--tml
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am a developer for the GetGnuWin32 (Automated GnuWin32 download tool)
project and other projects. I don't use sourceforge very much and so I have
not associated with any projects. I did request recently to be added to the
GetGnuWin32 project developers list.
I offer test builds using drop.io for a number of reasons, but convenience
mostly. However when I do that I release the hash in some type of secure way.
Either it's signed by me in an e-mail or once on the sf message boards (https)
I released as well.
Sometimes I must make my own more recent build of a program that is part of
the GnuWin32 project for bugfixes.
I have uploaded the patches I made with very specific instructions on how to
compile OpenSSL and Wget. Also, wget-1.12.1-devel has only compatibility
changes for windows as compared to wget-1.12.
The O.P. also can simply choose to uninstall wget (the best option) until
there is an official build hosted on this site or at least use it cautiously
until then. There are people willing to test development builds which should
not have the vulnerability that is a concern. I don't use wget myself so I
have no reason to install it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am releasing a new version of GetGnuWin32 (it broke this week) on Sunday and
it's likely it will include the files in wget-1.12.1-devel-and-
openssl-0.9.8l.zip
Please add my request for new packages for wget. This distribution contains an
old openssl version with a number of significant problems. Getting fixed
packages out should be a high priority for the developers.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-12-27
The sky is falling! The sky is falling!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Strangely i didn't get the usual emails from SourceForge until a day or two
ago to notify me replies had been posted. Not sure what happened there... but
sh1t happens i guess.
Anyhoo, thanks for compiling new versions raysatiro. I wonder when the dev
team are going to post some new builds themselves. I expect many users would
prefer to download from them directly if possible. Did they accept you on the
dev team yet raysatiro?
Yeah, i am aware that even reporting this relatively minor issue would tend to
make me look a little paranoid, but that's not really the case. This
particular project has a history of ignoring security issues, so i just keep
posting them in the forums/bugs. I reported an "important" security flaw last
year which had remained unpatched for 3 whole years:
You have got to admit that 3 years is pretty woeful. If anyone has contacts on
the dev team, do us all a favor and light a fire under their @ss about their
current security posture. I don't mean to be rude or anything, especially as
it costs end users nothing to use - being open source and all, but yeah...
improvements are needed.
Anyway, at the end of the day Wget still rules, and i appreciate the hard work
of everyone who has contributed to this project.
I actually went ahead and installed Jay's development build and have been
testing it. I also have built OpenSSL 0.9.8l myself using Visual C++ 9 Express
Edition. That is partly why I have not requested an update to that package
which apparently is not being maintained anymore. I don't know if `wget' can
be built with GnuTLS instead of OpenSSL but even the latest GnuTLS may have
the same problem that Jay alluded to in his last reply.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This version of Wget is vulnerable to an exploit. Please update Wget to
version 1.12.
Exploit advisory url:
Info:
Description:
A vulnerability has been reported in wget, which can be exploited by malicious
people to conduct spoofing attacks.
The vulnerability is caused due to an error when processing SSL certificates
containing NULL ('\0') characters embedded in certain certificate fields and
can be exploited to spoof certificates for legitimate domains.
This is related to vulnerability #2 in:
SA36093
Solution:
Update to version 1.12.
Provided and/or discovered by:
Independently discovered by Dan Kaminsky and Moxie Marlinspike.
Changelog:
2009-09-23: Updated "Solution" section. Added link to "Original
Advisory" section.
2009-10-01: Added CVE reference.
Original Advisory:
Other References:
SA36093:
CVE reference:
CVE-2009-3490
I like this distro of Wget. Keep up the good work!
Thanks,
Liam
: http://secunia.com/advisories/36540/
: http://secunia.com/SA36093/
: http://ftp.gnu.org/gnu/wget/
: http://addictivecode.org/pipermail/wget-
notify/2009-August/001808.html
: http://hg.addictivecode.org/wget/mainline/rev/1eab157d3be7
: http://permalink.gmane.org/gmane.comp.web.wget.general/8972
: http://secunia.com/advisories/36093/
: http://secunia.com/advisories/cve_reference/CVE-2009-3490/
I compiled wget-1.12.1-devel and openssl-0.9.8k. No idn no nls.
8c7f549af8569d2ac66803626539742ce25c409c *wget-1.12.1-devel-and-
openssl-0.9.8k.zip
: http://drop.io/GetGnuWin32/asset/wget-1-12-1-devel-and-openssl-0-9-8k-
zip
: http://drop.io/GetGnuWin32/asset/wget-1-12-1-devel-and-openssl-0-9-8k-
sha
: http://drop.io/GetGnuWin32/asset/wget-1-12-1-devel-and-openssl-0-9-8k-
md5
Hmm, I see a slight fault in the logic chain of thought here.
First, one person is concerned about a relatively obscure security problem in
wget that, as far as I understand, doesn't affect the overwhelming majority of
use cases of wget where SSL isn't involved. So, presumably, only slightly
paranoid and/or extremely security-conscious people are concerned, including
people who actually use wget for download of security-sensitive material from
https URLs.
Then somebody else provides a fixed executable of wget, hosted on some site
nobody has ever heard of, not using https, located in the British Indian Ocean
Territory if you believe the TLD, and expects these paranoid and/or extremely
security-conscious people to download and use it.
I hope you see my point‽
If you are afraid of a vulnerability in wget that means somebody can spoof a
SSL certificate, and thus make you download something you didn't intend,
shouldn't you be equally afraid of downloading a compiled wget binary provided
by some random person on the net, who might have inserted code in it to do
something nasty? (And I don't mean just some off-the-shelf malware payload
that anti-malware software would notice.) (No offence to raysatiro; I am also
just another random person on the net.)
--tml
I am a developer for the GetGnuWin32 (Automated GnuWin32 download tool)
project and other projects. I don't use sourceforge very much and so I have
not associated with any projects. I did request recently to be added to the
GetGnuWin32 project developers list.
I offer test builds using drop.io for a number of reasons, but convenience
mostly. However when I do that I release the hash in some type of secure way.
Either it's signed by me in an e-mail or once on the sf message boards (https)
I released as well.
Sometimes I must make my own more recent build of a program that is part of
the GnuWin32 project for bugfixes.
I have uploaded the patches I made with very specific instructions on how to
compile OpenSSL and Wget. Also, wget-1.12.1-devel has only compatibility
changes for windows as compared to wget-1.12.
The instructions are in readme.txt
read the readme
e7c3faae20b871f0fc78fa1d7b9d909b0f612394 *BUILD_FILES_wget-1.12.1-devel-and-
openssl-0.9.8k.zip
: http://drop.io/GetGnuWin32/asset/build-files-wget-1-12-1-devel-and-
openssl-0-9-8k-zip
: http://drop.io/GetGnuWin32/asset/build-files-wget-1-12-1-devel-and-
openssl-0-9-8k-sha
: http://drop.io/GetGnuWin32/asset/build-files-wget-1-12-1-devel-and-
openssl-0-9-8k-md5
The O.P. also can simply choose to uninstall wget (the best option) until
there is an official build hosted on this site or at least use it cautiously
until then. There are people willing to test development builds which should
not have the vulnerability that is a concern. I don't use wget myself so I
have no reason to install it.
openssl-0.9.8k has a recently found severe security problem (CVE-2009-3555).
Recently released openssl-0.9.8l (Nov 05 2009) disables all renegotiation and
fixes that problem.
I have compiled openssl-0.9.8l. The files are available here:
31f65e5bc3962c5f97e91e6907c61694365a1be1 *wget-1.12.1-devel-and-
openssl-0.9.8l.zip
b0cb01af4b3ba95a28b0c2e56748d06b31c2c82a *BUILD_FILES_wget-1.12.1-devel-and-
openssl-0.9.8l.zip
I am releasing a new version of GetGnuWin32 (it broke this week) on Sunday and
it's likely it will include the files in wget-1.12.1-devel-and-
openssl-0.9.8l.zip
: http://drop.io/GetGnuWin32
Please add my request for new packages for wget. This distribution contains an
old openssl version with a number of significant problems. Getting fixed
packages out should be a high priority for the developers.
The sky is falling! The sky is falling!
Hey guys,
Strangely i didn't get the usual emails from SourceForge until a day or two
ago to notify me replies had been posted. Not sure what happened there... but
sh1t happens i guess.
Anyhoo, thanks for compiling new versions raysatiro. I wonder when the dev
team are going to post some new builds themselves. I expect many users would
prefer to download from them directly if possible. Did they accept you on the
dev team yet raysatiro?
Yeah, i am aware that even reporting this relatively minor issue would tend to
make me look a little paranoid, but that's not really the case. This
particular project has a history of ignoring security issues, so i just keep
posting them in the forums/bugs. I reported an "important" security flaw last
year which had remained unpatched for 3 whole years:
You have got to admit that 3 years is pretty woeful. If anyone has contacts on
the dev team, do us all a favor and light a fire under their @ss about their
current security posture. I don't mean to be rude or anything, especially as
it costs end users nothing to use - being open source and all, but yeah...
improvements are needed.
Anyway, at the end of the day Wget still rules, and i appreciate the hard work
of everyone who has contributed to this project.
Liam
: https://sourceforge.net/tracker/index.php?func=detail&aid=2162975&group_id=
23617&atid=379173
I actually went ahead and installed Jay's development build and have been
testing it. I also have built OpenSSL 0.9.8l myself using Visual C++ 9 Express
Edition. That is partly why I have not requested an update to that package
which apparently is not being maintained anymore. I don't know if `wget' can
be built with GnuTLS instead of OpenSSL but even the latest GnuTLS may have
the same problem that Jay alluded to in his last reply.