[Secure-testing-team] Bug#857073: wget: CVE-2017-6508: CRLF injection in the url_parse function in url.c
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 7 19:52:12 UTC 2017
Source: wget
Version: 1.16-1
Severity: important
Tags: patch security upstream
Forwarded: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Hi,
the following vulnerability was published for wget.
CVE-2017-6508[0]:
| CRLF injection vulnerability in the url_parse function in url.c in Wget
| through 1.19.1 allows remote attackers to inject arbitrary HTTP headers
| via CRLF sequences in the host subcomponent of a URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
[1] http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
[2] http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list