[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Reques
|
From: |
Tim Rühsen |
|
Subject: |
Re: [Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Request for Details |
|
Date: |
Thu, 4 Apr 2019 17:38:06 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 |
On 4/4/19 4:42 PM, Josef Moellers wrote:
> On 04.04.19 09:27, Tim Rühsen wrote:
>> On 4/4/19 3:14 AM, Secunia Research wrote:
>>> Hello,
>>>
>>> We are currently processing a report published by a third-party [1] for GNU
>>> wget and are currently evaluating it to publish a Secunia Advisory for this.
>>> Please see the original report for details.
>>>
>>> We would appreciate to receive your comments on those issues before we
>>> publish our advisory based on this information.
>>>
>>> * Can you confirm the vulnerability?
>>
>> Yes
>
> Can you please elaborate what EXACTLY the vulnerability is? I have
> searched through the (quite hefty) diff between 1.20.1 and 1.20.2 and
> have found only 4 differences that may be viewed as these, but the
> changes in
> src/ftp-ls.c and
> src/http.c
> do not fix a vulnerability.
> The CVE-entry is not quite helpful, to say the least ;-)
Well, I could tell you details since I have a PoC and I made the fix.
But maybe there is a reason why the JVN people dont't include the PoC
within their report. I am asking them...
Regards, Tim
signature.asc
Description: OpenPGP digital signature