Oracle Linux 6 : wget (ELSA-2014-0151)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing a security update.

Description :

From Red Hat Security Advisory 2014:0151 :

An updated wget package that fixes one security issue and one bug is
now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The wget package provides the GNU Wget file retrieval utility for
HTTP, HTTPS, and FTP protocols. Wget provides various useful features,
such as the ability to work in the background while the user is logged
out, recursive retrieval of directories, file name wildcard matching
or updating files in dependency on file timestamp comparison.

It was discovered that wget used a file name provided by the server
when saving a downloaded file. This could cause wget to create a file
with a different name than expected, possibly allowing the server to
execute arbitrary code on the client. (CVE-2010-2252)

Note: With this update, wget always uses the last component of the
original URL as the name for the downloaded file. Previous behavior of
using the server provided name or the last component of the redirected
URL when creating files can be re-enabled by using the
'--trust-server-names' command line option, or by setting
'trust_server_names=on' in the wget start-up file.

This update also fixes the following bugs :

* Prior to this update, the wget package did not recognize HTTPS SSL
certificates with alternative names (subjectAltName) specified in the
certificate as valid. As a consequence, running the wget command
failed with a certificate error. This update fixes wget to recognize
such certificates as valid. (BZ#1060113)

All users of wget are advised to upgrade to this updated package,
which contain backported patches to correct these issues.

See also :

https://oss.oracle.com/pipermail/el-errata/2014-February/003954.html

Solution :

Update the affected wget package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 72419 ()

Bugtraq ID:

CVE ID: CVE-2010-2252