Security Advisory and Request for Wget Update: 1.10.2
Harold L Hunt II
Tue Nov 15 20:53:00 GMT 2005
Thanks for the heads up, but next time I'll take the notice without the
lip, thank you.
Alan Dobkin wrote:
> FYI, Wget 1.10.2 was released over a month ago (on October 13, 2005):
>>The latest stable version of Wget is 1.10.2. This release contains
>>fixes for a major security problem: a remotely exploitable buffer
>>overflow vulnerability in the NTLM authentication code. All Wget users
>>are strongly encouraged to upgrade their Wget installation to the last
> It seems that Harold Hunt is the new wget maintainer, and I do not wish
> to take his place, but new releases such as this (especially security
> updates that affect Windows) should be provided in a timely manner.
> P. S. -- Apparently this is the same bug that also affected cURL, which
> has no current maintainer....
> On 10/23/2005 3:46 PM, Yaakov S (Cygwin Ports) wrote:
>>cURL is vulnerable to a buffer overflow which could lead to the
>>execution of arbitrary code.
>>Solution: upgrade to 7.15.0.
>>Workaround until solved:
>>Disable NTLM authentication by not using the --anyauth or --ntlm
>>options when using cURL (the command line version). Workarounds for
>>programs that use the cURL library depend on the configuration options
>>presented by those programs.
More information about the Cygwin-apps