Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch wget 1.19.2 update

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 27, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    wget 1.19.2 update

    Security bug fix update for wget that Centmin Mod updates. but RedHat/CentOS refuse to fix - marked will not fix by RedHat CVE-2017-6508 - Red Hat Customer Portal

    - [Bug-wget] Vulnerability Report - CRLF Injection in Wget Host Part
    - CVE-2017-6508 : CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject
    - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6508
    - GNU Wget CVE-2017-6508 CRLF Injection Vulnerability
    - Bug 1429984 – CVE-2017-6508 wget: CRLF injection in the url_parse function in url.c


    wrong CVE, wget 1.19.2 is for

    • Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling)
    • Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling)
    Continue reading...

    123.09beta01 branch
     
    Last edited: Oct 27, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    To update 123.09beta01 to wget 1.19.2, run centmin.sh menu option 23 submenu option 2 update as outlined below. Then re-run centmin.sh which will prompt for auto updating to wget 1.19.2 on 64bit systems only.

    When you run centmin.sh after update, it will check it wget is latest and auto update you seeing the message
    Code (Text):
    ./centmin.sh
    
    update wget to 1.19.2 version... one time task
    

    After update you can use -V command to check wget version.

    On Centmin Mod 123.09beta01 + CentOS 7.4 64bit system updated wget 1.19.2.
    Code (Text):
    wget -V
    GNU Wget 1.19.2 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls
    +ntlm +opie -psl +ssl/openssl
    
    Wgetrc:
        /usr/local/etc/wgetrc (system)
    Locale:
        /usr/local/share/locale
    Compile:
        ccache gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
        -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
        /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    Link:
        ccache gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g
        -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
        -fstack-protector-strong --param=ssp-buffer-size=4
        -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre
        -lssl -lcrypto -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
    

    On Centmin Mod 123.09beta01 + CentOS 6.9 64bit system updated wget 1.19.2.
    Code (Text):
    wget -V
    GNU Wget 1.19.2 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls 
    +ntlm +opie -psl +ssl/openssl 
    
    Wgetrc: 
        /usr/local/etc/wgetrc (system)
    Locale: 
        /usr/local/share/locale 
    Compile: 
        /opt/rh/devtoolset-4/root/usr/bin/gcc -DHAVE_CONFIG_H 
        -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" 
        -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I 
        /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall 
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic 
    Link: 
        /opt/rh/devtoolset-4/root/usr/bin/gcc -I /usr/local/include 
        -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
        -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 
        -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre 
        -lssl -lcrypto -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a 
        -lrt 
    
    


    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
     
    Last edited: Oct 27, 2017
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    For non-Centmin Mod CentOS 7 systems, yum update has an update for wget with backported fix
    CentOS 5 & 6 not affected by security CVE.

    For CentOS 7 the updated package is = wget-1.14-15.el7_4.1.x86_64
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    Technicalities of the wget CVE security vulnerabilities oss-sec: Two vulnerabilities patched in GNU Wget: CVE-2017-13089, CVE-2017-13090

     
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,146
    253
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +615
    Local Time:
    4:14 AM
    1.13.x
    MariaDB 10.1.x
    I just exited out of the Centmin Mod Menu and it did an update check. Noticed:
    Code:
    -------------------------------------------------------------
      Following Updates are available:
    -------------------------------------------------------------
    wget.x86_64                       1.14-15.el7_4.1                        updates
    Should I do this update? Isn't 1.14 below 1.19.2?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes do yum update too - redhat/centos back ports updates to there base versions instead of changing version name

    centmin mod overrides and source updates wget to 1.19.2 for 64bit systems as well
     
    • Like Like x 2
  7. eva2000

    eva2000 Administrator Staff Member

    30,626
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,307
    Local Time:
    7:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    to check wget yum updated package, you can also check the change log for it

    Display first 6 lines of wget yum package's change log for backported patches for CVE-2017-13089 & CVE-2017-13090
    Code (Text):
    rpm -qa --changelog wget | head -n6
    * Tue Oct 24 2017 Tomas Hozza <thozza@redhat.com> - 1.14-15.1
    - Fixed various security flaws (CVE-2017-13089, CVE-2017-13090)
    
    * Fri May 05 2017 Tomas Hozza <thozza@redhat.com> - 1.14-15
    - Added TLSv1_1 and TLSv1_2 as secure-protocol values to help (#1439811)
    - Fixed synchronization in randomly failing unit test Test-proxied-https-auth (#1448440)
    
     
    • Informative Informative x 1