Join the community today
Become a Member

Security wget security vulnerability CVE-2016-4971

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jul 10, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    One of the most commonly used tools to download files on linux is wget. There's a security vulnerability CVE-2016-4971 with wget that needs wget updated to version 1.18+. However, Redhat is refusing to fix it for Redhat 5 and 6 and has deferred its fix in Redhat 7. So unless CentOS does their own fix, they'd be waiting on Redhat ! CentOS 6 uses wget 1.12 and CentOS 7 uses wget 1.14.

    Fixes and mitigation for wget CVE-2016-4971



    Current mitigation and fixes are
    1. Manual update to wget 1.18 to fully fix CVE-2016-4971 or
    2. mitigation by using wget with -O option to rename specifically the files

    Manual wget 1.18 update



    Manual wget update to 1.18 can be done by source compile. Centmin Mod 123.09beta01 has added a new addon at addons/wget.sh which you can run to update wget to 1.18. Full details outlined at Beta Branch - add addons/wget.sh allow newer version of wget on CentOS for 123.09beta01 | Centmin Mod Community

    It will also be auto triggered on 123.09beta01 run of centmin.sh if it detects wget version is not 1.18. You would need to update to latest 123.09beta01 code via centmin.sh menu option 23 - submenu option 2 if already on 123.09beta01 or submenu option 3 to switch and upgrade to 123.09beta01.

    For Centmin Mod 123.09beta01



    Ensure you updated your 123.09beta01 builds via centmin.sh menu option 23 submenu option 2 first.

    Example run on 123.09beta01 latest code with CentOS 7 GCC 4.8.5

    Install via addons/wget.sh - after install, you need to logout of your ssh session and back in again to verify wget version
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./wget.sh install
    


    For Centmin Mod 123.08stable



    Centmin Mod 123.08stable has backported the addons/wget.sh as of July 10th, 2016 updates. So will also auto trigger addons/wget.sh on running centmin.sh. If on older Centmin Mod 123.08stable code base, you can also run centmin.sh menu option 23 submenu option 2 to update the code and then run above newly backported addons/wget.sh. Or you can just grab the addons/wget.sh via github download since addons are meant to be standalone for this reason.

    After install, you need to logout of your ssh session and back in again to verify wget version
    Code (Text):
    cd /usr/local/src/centminmod/addons
    rm -rf wget.sh
    wget https://github.com/centminmod/centminmod/raw/123.09beta01/addons/wget.sh -O wget.sh
    ./wget.sh install
    rm -rf /usr/local/src/centminmod/addons/wget.sh
    


    Mitigation



    i.e. with mitigation, instead of downloading with wget as
    Code (Text):
    wget http://domain.com/file.tar.gz
    

    do the following to specifically rename the download file as the intended file name with -O flag
    Code (Text):
    wget http://domain.com/file.tar.gz -O file.tar.gz
    


    Verify wget update



    To verify that wget has been updated type in SSH (after install, you need to logout of your ssh session and back in again to verify wget version)
    Code (Text):
    wget -V
    

    First line of output has version number
    Code (Text):
    wget -V
    GNU Wget 1.18 built on linux-gnu.
    


    Background Info



     
    Last edited: Jul 12, 2016
    • Like Like x 2
    • Useful Useful x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
     
  3. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    9:36 PM
    1.9.x
    10.1.x
    Its also possible to install wget 1.18 rpm from Fedora 22 on Centos 7.
    I used this one and its working 100% fine: wget-1.18-1.fc22.x86_64 RPM

    Code:
    wget -V
    GNU Wget 1.18 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 +iri +large-file +metalink +nls
    +ntlm +opie +psl +ssl/openssl
    
    Wgetrc:
        /etc/wgetrc (system)
    Locale:
        /usr/share/locale
    Compile:
        gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
        -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -DHAVE_LIBSSL
        -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    Link:
        gcc -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
        -fstack-protector-strong --param=ssp-buffer-size=4
        -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -lpcre
        -luuid -lmetalink -lssl -lcrypto -L/usr/lib64 -lz -lpsl -lidn
        ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
    
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://www.gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
    Please send bug reports and questions to <bug-wget@gnu.org>.
     
    • Informative Informative x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah that is an option for CentOS 7 not sure for CentOS 6 due to lower GCC versions. For example for CentOS 6 source compile of wget 1.18 i had to use devtoolset-3 version of GCC 4.9.1 as CentOS 6 default GCC 4.4.7 version was too low for wget 1.18

    edit: also libpsl is required dependency for fedora linked wget 1.18 and libpsl doesn't exist in CentOS 6. So probably best to source compile for now.

    Example Outputs



    Resulting output at end for CentOS 7 with GCC 4.8.5
    Code (Text):
    --------------------------------------------------------
    wget -V
    GNU Wget 1.18 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
    +ntlm +opie +psl +ssl/openssl
    
    Wgetrc:
        /usr/local/etc/wgetrc (system)
    Locale:
        /usr/local/share/locale
    Compile:
        gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
        -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
        /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    Link:
        gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
        -L /usr/local/lib -lpcre -lssl -lcrypto -lz -lpsl -lidn ftp-opie.o
        openssl.o http-ntlm.o ../lib/libgnu.a
    
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://www.gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
    Please send bug reports and questions to <bug-wget@gnu.org>.
    --------------------------------------------------------
    wget 1.18 installed at /usr/local/bin/wget
    


    Example run with CentOS 6.8 GCC 4.9.1 via devtoolset-3 to work around native GCC 4.4.7 which wget compile doesn't support.
    Code (Text):
    wget -V
    GNU Wget 1.18 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
    +ntlm +opie -psl +ssl/openssl
    
    Wgetrc:
        /usr/local/etc/wgetrc (system)
    Locale:
        /usr/local/share/locale
    Compile:
        /opt/rh/devtoolset-3/root/usr/bin/gcc -DHAVE_CONFIG_H
        -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
        -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
        /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    Link:
        /opt/rh/devtoolset-3/root/usr/bin/gcc -I /usr/local/include
        -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
        -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
        -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre
        -lssl -lcrypto -lz -lidn -lrt ftp-opie.o openssl.o http-ntlm.o
        ../lib/libgnu.a
    
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://www.gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
    Please send bug reports and questions to <bug-wget@gnu.org>.
    --------------------------------------------------------
    wget 1.18 installed at /usr/local/bin/wget
    
     
    Last edited: Jul 10, 2016
  5. BobbyWibowo

    BobbyWibowo Active Member

    166
    36
    28
    Jul 30, 2015
    Medan, Indonesia
    Ratings:
    +57
    Local Time:
    4:36 AM
    Code:
    # wget -V
    GNU Wget 1.18 built on linux-gnu.
    
    -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
    +ntlm +opie -psl +ssl/openssl
    
    Wgetrc:
        /usr/local/etc/wgetrc (system)
    Locale:
        /usr/local/share/locale
    Compile:
        ccache gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
        -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
        /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
        -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
        --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    Link:
        ccache gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g
        -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
        -fstack-protector-strong --param=ssp-buffer-size=4
        -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre
        -lssl -lcrypto -lz -lidn ftp-opie.o openssl.o http-ntlm.o
        ../lib/libgnu.a
    
    Copyright (C) 2015 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later
    <http://www.gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
    Please send bug reports and questions to <bug-wget@gnu.org>.
    Yay!
     
    • Like Like x 1
  6. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:36 AM
    latest
    latest
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    What's output of
    Code (Text):
    ls -lah /svr-setup/wget-1.18
     
  8. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:36 AM
    latest
    latest
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    strange it clearly exists
    Code (Text):
    -rw-r--r-- 1 root root 53K Jul 11 21:03 Makefile

    grab the wget install log from /root/centminlogs/wget_source_install_${DT}.log where DT is timestamp and post to pastebin.com or gist.github.com the contents
     
    Last edited: Jul 12, 2016
  10. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    made a slight revision to addons/wget.sh, so try again after updating your centmin mod 123.08stable or 123.09beta01 code :)
     
  11. BigIron

    BigIron Member

    49
    10
    8
    Sep 18, 2015
    Ratings:
    +13
    Local Time:
    1:36 PM
    Hmm, updated the code base and ran ./wget.sh install. Still reporting version 1.14.

     
  12. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    need to logout of your ssh session and back in. Thought i mentioned it but will add to above instructions
     
    • Like Like x 1
  13. BigIron

    BigIron Member

    49
    10
    8
    Sep 18, 2015
    Ratings:
    +13
    Local Time:
    1:36 PM
    There we go :)
     
    • Like Like x 1
  14. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    5:36 AM
    1.11
    10.2
    Code:
    # ./wget.sh install
    Total wget Install Time: .004408802 seconds
    
    Meaning I have the latest version already? :D
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    Code (Text):
    wget -V

    ;)
     
    • Like Like x 1
  16. BobbyWibowo

    BobbyWibowo Active Member

    166
    36
    28
    Jul 30, 2015
    Medan, Indonesia
    Ratings:
    +57
    Local Time:
    4:36 AM
    I'm pretty sure I didn't have to logout from ssh when I input wget -V after the installation though o.o
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5
    that's because wget.sh actually sources the /root/.bashrc file itself which calls the wget alias.. which is what the act of logging into ssh does everytime you log in
     
    • Informative Informative x 1
  18. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    9:36 PM
    Just spun couple of Vultr instances today and try to install centminmod beta.
    However, every time I run centmin.sh it always try to update wget 1.18. Re-login to SSH wget still version 1.12.
    Any idea?
     
    • Informative Informative x 1
  19. trxerz

    trxerz Member

    66
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    9:36 PM
    Forget it,
    Solved with
    Code:
    cd /usr/local/src/centminmod/addons
    ./wget.sh install
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    7:36 AM
    Nginx 1.13.x
    MariaDB 5.5