Yellow Dog Linux Security Announcement -------------------------------------- Package: wget Issue Date: December 27, 2002 Priority: high Advisory ID: YDU-20021227-2 1. Topic: Updated wget packages are available. 2. Problem: "Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system. FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shost, etc.) that can then be used for later attacks against the client machine." (from Red Hat advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install wget b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/wget-1.8.2-4.73.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 7fbf00ac5fe72dbae1bfd021ece3da24 ppc/wget-1.8.2-4.73.ppc.rpm c2361ba27a4f5e6c150e85b13453bf79 SRPMS/wget-1.8.2-4.73.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml