Re: wget-1.24.5 released [stable]

[Sam James]

Darshit Shah <darnir@gnu.org> writes:

> This is to announce wget-1.24.5, a stable release.
>
> This is another relative slow release with minor bug fixes. The main
> one being a correction in how subdomains of Top-Level Domains (TLDs)
> are treated when checking for suffixes during HSTS lookups. This is a
> very low criticality vulnerability that has now been patched.
>
> There have been 33 commits by 6 people in the 43 weeks since 1.21.4.
>
> See the NEWS below for a brief summary.
>
> Thanks to everyone who has contributed!
> The following people contributed changes to this release:
>
>   Christian Weisgerber (1)
>   Darshit Shah (20)
>   Jan Palus (1)
>   Jan-Michael Brummer (1)
>   Tim Rühsen (9)
>   Yaakov Selkowitz (1)
>
> Darshit Shah
>  [on behalf of the wget maintainers]
> ==================================================================
>
> Here is the GNU wget home page:
> https://gnu.org/s/wget/
>
> For a summary of changes and contributors, see:
> https://git.sv.gnu.org/gitweb/?p=wget.git;a=shortlog;h=v1.24.5
> or run this command from a git-cloned wget directory:
>   git shortlog v1.21.4..v1.24.5
>
> Here are the compressed sources:
> https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.gz (5.0MB)
> https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.lz (2.5MB)
>
> Here are the GPG detached signatures:
> https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.gz.sig
> https://ftpmirror.gnu.org/wget/wget-1.24.5.tar.lz.sig
>
> Use a mirror for higher download bandwidth:
> https://www.gnu.org/order/ftp.html
>
> Here are the SHA1 and SHA256 checksums:
>
>   62525de6f09486942831ca2e352ae6802fc2c3dd  wget-1.24.5.tar.gz
>   +i3DW6tRhOy8Rqnvg97yqqo/TJ88l9S9GdywfU2mN94=  wget-1.24.5.tar.gz
>   01659f427c2e90c7c943805db69ea00f5da79b07  wget-1.24.5.tar.lz
>   V6EHFR5O+U/flK/+z6xZiWPzcvEyk+2cdAMhBTkLNu4=  wget-1.24.5.tar.lz
>
> Verify the base64 SHA256 checksum with cksum -a sha256 --check
> from coreutils-9.2 or OpenBSD's cksum since 2007.
>
> Use a .sig file to verify that the corresponding file (without the
> .sig suffix) is intact.  First, be sure to download both the .sig file
> and the corresponding tarball.  Then, run a command like this:
>
>   gpg --verify wget-1.24.5.tar.gz.sig
>
> The signature should match the fingerprint of the following key:
>
>   pub   rsa4096 2015-10-14 [SC]
>         7845 120B 07CB D8D6 ECE5  FF2B 2A17 43ED A91A 35B6
>   uid   Darshit Shah <gpg@darnir.net>
>   uid   Darshit Shah <darnir@gnu.org>
>
> If that command fails because you don't have the required public key,
> or that public key has expired, try the following commands to retrieve
> or refresh it, and then rerun the 'gpg --verify' command.
>
>   gpg --locate-external-key gpg@darnir.net
>
>   gpg --recv-keys 64FF90AAE8C70AF9
>
>   wget -q -O-
> 'https://savannah.gnu.org/project/release-gpgkeys.php?group=wget&download=1'
> | gpg --import -
>

The version of your key in this keyring seems to be expired. Could you
upload a new one? Thanks.

> As a last resort to find the key, you can try the official GNU
> keyring:
>
>   wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
>   gpg --keyring gnu-keyring.gpg --verify wget-1.24.5.tar.gz.sig
>
> This release was bootstrapped with the following tools:
>   Autoconf 2.72
>   Automake 1.16.5
>   Gnulib v0.1-7211-gd15237a22b
>
> NEWS
>
> * Noteworthy changes in release 1.24.5 (2024-03-10) [stable]
>
> ** Fix how subdomain matches are checked for HSTS.
>    Fixes a minor issue where cookies may be leaked to the wrong domain
>
> ** Wget will now also parse the srcset attribute in <source> HTML tags
>
> ** Support reading fetchmail style "user" and "passwd" fields from netrc
>
> ** In some cases, prevent the confusing "Cannot write to... (success)"
>    error messages
>
> ** Support extremely fast download speeds (TB/s).
>    Previously this would cause Wget to crash when printing the speed
>
> ** Improve portability on OpenBSD to run the test suite
>
> ** Ensure that CSS URLs are corectly quoted (Bug: 64082)
>
> [2. OpenPGP public key --- application/pgp-keys; 
> OpenPGP_0x2A1743EDA91A35B6.asc]...