Linux distributions update for Web flaw
- 04 September, 2010 03:21
- Comments
A number of Linux distributors have issued patches for fixing a widely used program that fetches Web pages, called Wget, so it can not be misused by attackers.
Canonical and Mandriva have both released advisories of this vulnerability, as well as updated their software to a fixed version. Red Hat has not updated this flaw, according to the company website.
Included in most Linux distributions, the GNU Wget is a program that can retrieve Web pages and other Internet files. A widely used command line tool, it is often embedded in scripts and programs for automatically downloading large numbers of Web pages, which can be useful for indexing the Web. It also works with FTP (File Transfer Protocol).
Versions 1.12 and older possess a vulnerability that attackers could use to inject malicious code into the host machine running the software. As the software downloads a file, the server provides it with a file name that can be substituted with a pointer to a file with executable code, which, in turn, can overwrite an existing file or be inserted into the start-up routine.
The OpenWall Project, a group that focuses on open-source security, discovered the vulnerability late last year, but it was, according to the group, initially ignored by the Wget maintainers.
The keepers of the CVE (Common Vulnerabilities and Exposures) database are reviewing the vulnerability, CVE-2010-2252, and it has been classified as a medium risk.
Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- USN-982-1: Wget vulnerability : Ubuntu
- Advisories : Mandriva
- redhat.com : CVE-2010-2252
- GNU Wget
- lwp-download - search.cpan.org
- LFTP - sophisticated file transfer program
- oss-security - Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability
- Openwall Project - Information Security software for open environments
- oCERT.org - oCERT Advisories
- CVE-2010-2252
- National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-2252)
- @Joab_Jackson
- Joab_Jackson@idg.com
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Telstra reports issue with BigPond email accounts
-
Samsung Galaxy S II Android phone
-
Office 2007 for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Dummies® Dvd+book Bundle
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies®
-
Office 2007 All-In-One Desk Reference for Dummies
-
Microsoft Office
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Teach Yourself Visually Windows 7
Get exclusive access to Techworld news, reports & analysis. 
Comments
Post new comment