wget (SL6)

Synopsis: Low: wget security and bug fix update
Advisory ID: SLSA-2014:0151-1
Issue Date: 2014-02-10
CVE Numbers: CVE-2010-2252

It was discovered that wget used a file name provided by the server when
saving a downloaded file. This could cause wget to create a file with a
different name than expected, possibly allowing the server to execute
arbitrary code on the client. (CVE-2010-2252)

Note: With this update, wget always uses the last component of the
original URL as the name for the downloaded file. Previous behavior of
using the server provided name or the last component of the redirected URL
when creating files can be re-enabled by using the ‘–trust-server-names’
command line option, or by setting ‘trust_server_names=on’ in the wget
start-up file.

This update also fixes the following bugs:

* Prior to this update, the wget package did not recognize HTTPS SSL
certificates with alternative names (subjectAltName) specified in the
certificate as valid. As a consequence, running the wget command failed
with a certificate error. This update fixes wget to recognize such
certificates as valid.


– Scientific Linux Development Team