Beta Branch wget 1.19.2 update

wget 1.19.2 update

Security bug fix update for wget that Centmin Mod updates. but RedHat/CentOS refuse to fix - marked will not fix by RedHat CVE-2017-6508 - Red Hat Customer Portal

- [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
- CVE-2017-6508 : CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6508
- GNU Wget CVE-2017-6508 CRLF Injection Vulnerability
- Bug 1429984 – CVE-2017-6508 wget: CRLF injection in the url_parse function in url.c

wrong CVE, wget 1.19.2 is for

• Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling)
• Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling)

Continue reading...

123.09beta01 branch

• Branch: GitHub - centminmod/centminmod at 123.09beta01
• Commit History: Commits · centminmod/centminmod · GitHub

 

To update 123.09beta01 to wget 1.19.2, run centmin.sh menu option 23 submenu option 2 update as outlined below. Then re-run centmin.sh which will prompt for auto updating to wget 1.19.2 on 64bit systems only.

When you run centmin.sh after update, it will check it wget is latest and auto update you seeing the message

Code (Text):

./centmin.sh

update wget to 1.19.2 version... one time task

After update you can use -V command to check wget version.

On Centmin Mod 123.09beta01 + CentOS 7.4 64bit system updated wget 1.19.2.

Code (Text):

wget -V
GNU Wget 1.19.2 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
    /usr/local/etc/wgetrc (system)
Locale:
    /usr/local/share/locale
Compile:
    ccache gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
    -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
    /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
    -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
Link:
    ccache gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g
    -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
    -fstack-protector-strong --param=ssp-buffer-size=4
    -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre
    -lssl -lcrypto -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

On Centmin Mod 123.09beta01 + CentOS 6.9 64bit system updated wget 1.19.2.

Code (Text):

wget -V
GNU Wget 1.19.2 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls 
+ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /usr/local/etc/wgetrc (system)
Locale: 
    /usr/local/share/locale 
Compile: 
    /opt/rh/devtoolset-4/root/usr/bin/gcc -DHAVE_CONFIG_H 
    -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" 
    -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I 
    /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall 
    -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic 
Link: 
    /opt/rh/devtoolset-4/root/usr/bin/gcc -I /usr/local/include 
    -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
    -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 
    -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre 
    -lssl -lcrypto -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a 
    -lrt 

Upgrading Centmin Mod Code to Latest Version

Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:

• New centmin.sh menu option 23 updating
• Centmin Mod Upgrades
• Cronjob Auto Updating Centmin Mod Code Guide
• How to upgrade Centmin Mod + backing up customisations

Upgrading Centmin Mod involves 2 parts.

1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.

 

For non-Centmin Mod CentOS 7 systems, yum update has an update for wget with backported fix

• CVE-2017-13089 - Red Hat Customer Portal
• CVE-2017-13090 - Red Hat Customer Portal

CentOS 5 & 6 not affected by security CVE.

For CentOS 7 the updated package is = wget-1.14-15.el7_4.1.x86_64

 

Technicalities of the wget CVE security vulnerabilities oss-sec: Two vulnerabilities patched in GNU Wget: CVE-2017-13089, CVE-2017-13090

 

yes do yum update too - redhat/centos back ports updates to there base versions instead of changing version name

centmin mod overrides and source updates wget to 1.19.2 for 64bit systems as well

 

to check wget yum updated package, you can also check the change log for it

Display first 6 lines of wget yum package's change log for backported patches for CVE-2017-13089 & CVE-2017-13090

Code (Text):

rpm -qa --changelog wget | head -n6
* Tue Oct 24 2017 Tomas Hozza <thozza@redhat.com> - 1.14-15.1
- Fixed various security flaws (CVE-2017-13089, CVE-2017-13090)

* Fri May 05 2017 Tomas Hozza <thozza@redhat.com> - 1.14-15
- Added TLSv1_1 and TLSv1_2 as secure-protocol values to help (#1439811)
- Fixed synchronization in randomly failing unit test Test-proxied-https-auth (#1448440)