DSA-1904-1 wget -- insufficient input validationID: oval:org.secpod.oval:def:600474 | Date: (C)2011-05-13 (M)2022-10-10 |
Class: PATCH | Family: unix |
Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using http and ftp, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field. For the oldstable distribution , this problem has been fixed in version 1.10.2-2+etch1. For the stable distribution , this problem has been fixed in version 1.11.4-2+lenny1. For the testing distribution , this problem will be fixed soon. For the unstable distribution , this problem has been fixed in version 1.12-1. We recommend that you upgrade your wget packages.
Platform: |
Debian 5.0 |
Debian 4.0 |