Bug 902709 (CVE-2014-4877) - VUL-0: CVE-2014-4877: wget: FTP symlink arbitrary filesystem access
Summary: VUL-0: CVE-2014-4877: wget: FTP symlink arbitrary filesystem access
Status: RESOLVED FIXED
Alias: CVE-2014-4877
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Deadline: 2014-11-06
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/110188/
Whiteboard: CVSSv2:SUSE:CVE-2014-4877:7.5:(AV:N/A...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks: 910180 911056
  Show dependency treegraph
 
Reported: 2014-10-27 13:13 UTC by Sebastian Krahmer
Modified: 2020-06-17 02:13 UTC (History)
13 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Swamp Workflow Management 2014-10-27 23:01:02 UTC 
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2014-10-30 15:55:17 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-11-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59546
Comment 10 Andreas Stieger 2014-10-30 16:43:33 UTC 
network:utilities 1.16 fixed, pending SR to openSUSE:Factory
openSUSE 13.2: 1.15 affected
openSUSE 13.1: 1.14 affected
openSUSE 12.3: 1.13.4 affected
Comment 11 Andreas Stieger 2014-10-30 19:58:11 UTC 
Maintenance request to update openSUSE 12.3+13.1+13.2 to wget 1.16:
https://build.opensuse.org/request/show/259043
Please review if that is okay.

To openSUSE:Factory:
https://build.opensuse.org/request/show/258921
Comment 12 Marcus Meissner 2014-11-03 11:45:25 UTC 
Reinhard? Please submit.
Comment 24 Marcus Meissner 2014-11-05 13:05:29 UTC 
Due to high remote CVSS scoring and customer awareness even though this is not a problematic issue we have decided to also release LTSS updates for the exsisting LTSS codestreams.

(Nothing for you to do Reinhard, same source is used for LTSS as submitted.)
Comment 26 Swamp Workflow Management 2014-11-06 11:05:59 UTC 
SUSE-SU-2014:1366-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 885069,901276,902709
CVE References: CVE-2014-4877
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    wget-1.11.4-1.19.1
SUSE Linux Enterprise Server 11 SP3 (src):    wget-1.11.4-1.19.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    wget-1.11.4-1.19.1
Comment 27 Swamp Workflow Management 2014-11-12 18:04:52 UTC 
SUSE-SU-2014:1408-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 902709
CVE References: CVE-2014-4877
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    wget-1.10.2-15.14.5
Comment 28 Swamp Workflow Management 2014-11-12 18:05:59 UTC 
SUSE-SU-2014:1366-2: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 885069,901276,902709
CVE References: CVE-2014-4877
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    wget-1.11.4-1.19.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    wget-1.11.4-1.19.1
Comment 29 Swamp Workflow Management 2014-11-20 15:04:59 UTC 
SUSE-SU-2014:1464-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 902709
CVE References: CVE-2014-4877
Sources used:
SUSE Linux Enterprise Server 12 (src):    wget-1.14-7.1
SUSE Linux Enterprise Desktop 12 (src):    wget-1.14-7.1
Comment 33 Marcus Meissner 2014-12-15 15:11:33 UTC 
all done now I think.