==========================================================================
Ubuntu Security Notice USN-3464-1
October 26, 2017

wget vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 17.10
– Ubuntu 17.04
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Wget.

Software Description:
– wget: retrieves files from the web

Details:

Antti Levomäki, Christian Jalio, and Joonas Pihlaja discovered that Wget
incorrectly handled certain HTTP responses. A remote attacker could use
this issue to cause Wget to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)

Dawid Golunski discovered that Wget incorrectly handled recursive or
mirroring mode. A remote attacker could possibly use this issue to bypass
intended access list restrictions. (CVE-2016-7098)

Orange Tsai discovered that Wget incorrectly handled CRLF sequences in
HTTP headers. A remote attacker could possibly use this issue to inject
arbitrary HTTP headers. (CVE-2017-6508)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
wget 1.19.1-3ubuntu1.1

Ubuntu 17.04:
wget 1.18-2ubuntu1.1

Ubuntu 16.04 LTS:
wget 1.17.1-1ubuntu1.3

Ubuntu 14.04 LTS:
wget 1.15-1ubuntu1.14.04.3

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3464-1
CVE-2016-7098, CVE-2017-13089, CVE-2017-13090, CVE-2017-6508

Package Information:
https://launchpad.net/ubuntu/+source/wget/1.19.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/wget/1.18-2ubuntu1.1
https://launchpad.net/ubuntu/+source/wget/1.17.1-1ubuntu1.3
https://launchpad.net/ubuntu/+source/wget/1.15-1ubuntu1.14.04.3

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2

iQIcBAEBCgAGBQJZ8jG2AAoJEGVp2FWnRL6T3bQQALy+RfKyapjfJw4rqPpPa2OS
Unq5rSYDcTQDisGIeZ9//yqUtssVvGsEV3i0LZQmAi+SL+vawfxhQRjuRWtp9Wwc
UZ8zDrJbFVtblB9NiZQ1byn3RPINM8FWT0z7awcp4lPfvNlxx4InbeK4Xwakn/WS
dWngtZ2v0hGBK3GAqb5HSifPi2M8ioWi6+ANruSzMl4qBEF/dZ7qpkLiu3JC9vqm
H9rHef9cG7igkFB7WLOkVLeTGSMR38O4APuCvH8LEeif4RgxTKcotPo4GkNROE24
nD3XM73b8mr8yz140VRHZf1aQ2EsE6NNIlC/pRIWMqE77OUKIirZ7M1evaEWdRNe
ma2ZGZ6wp4u2july+Ci2pcMePh+pu4U634vw1ExQglZnespJA9J9V0igBOJXPKRI
dMDFdaVV6g+lnKmXO17AnWJGyf7piLQWUFsYBQ5rH5RL7/Vt5S1t8gOhdEcIWZED
S6Ve3EFWBR1fy/9Z2yZju4iYOWMAczxqDdAQwkyj1m/F5qGxh7kYFa9M/FPTpGPw
NS7VOq5xgHlccMst/13sDlGZQPozTXmTHfpgNvry8/KvZyyhbvD2O5f7zIVwcFfU
BOpfvzVXacp1GP7xGQtgWqAA1yi0RiXFS1B5Ny+3QxW/vt7NocAqZvw+/Q4IdayP
odwwsB50WMZMs41OOUFg
=PnJD
—–END PGP SIGNATURE—–
—