Security wget security vulnerability CVE-2016-4971

One of the most commonly used tools to download files on linux is wget. There's a security vulnerability CVE-2016-4971 with wget that needs wget updated to version 1.18+. However, Redhat is refusing to fix it for Redhat 5 and 6 and has deferred its fix in Redhat 7. So unless CentOS does their own fix, they'd be waiting on Redhat ! CentOS 6 uses wget 1.12 and CentOS 7 uses wget 1.14.

Fixes and mitigation for wget CVE-2016-4971

Current mitigation and fixes are

1. Manual update to wget 1.18 to fully fix CVE-2016-4971 or
2. mitigation by using wget with -O option to rename specifically the files

Manual wget 1.18 update

Manual wget update to 1.18 can be done by source compile. Centmin Mod 123.09beta01 has added a new addon at addons/wget.sh which you can run to update wget to 1.18. Full details outlined at Beta Branch - add addons/wget.sh allow newer version of wget on CentOS for 123.09beta01 | Centmin Mod Community

It will also be auto triggered on 123.09beta01 run of centmin.sh if it detects wget version is not 1.18. You would need to update to latest 123.09beta01 code via centmin.sh menu option 23 - submenu option 2 if already on 123.09beta01 or submenu option 3 to switch and upgrade to 123.09beta01.

For Centmin Mod 123.09beta01

Ensure you updated your 123.09beta01 builds via centmin.sh menu option 23 submenu option 2 first.

Example run on 123.09beta01 latest code with CentOS 7 GCC 4.8.5

Install via addons/wget.sh - after install, you need to logout of your ssh session and back in again to verify wget version

Code (Text):

cd /usr/local/src/centminmod/addons
./wget.sh install

---

For Centmin Mod 123.08stable

Centmin Mod 123.08stable has backported the addons/wget.sh as of July 10th, 2016 updates. So will also auto trigger addons/wget.sh on running centmin.sh. If on older Centmin Mod 123.08stable code base, you can also run centmin.sh menu option 23 submenu option 2 to update the code and then run above newly backported addons/wget.sh. Or you can just grab the addons/wget.sh via github download since addons are meant to be standalone for this reason.

After install, you need to logout of your ssh session and back in again to verify wget version

Code (Text):

cd /usr/local/src/centminmod/addons
rm -rf wget.sh
wget https://github.com/centminmod/centminmod/raw/123.09beta01/addons/wget.sh -O wget.sh
./wget.sh install
rm -rf /usr/local/src/centminmod/addons/wget.sh

Mitigation

i.e. with mitigation, instead of downloading with wget as

Code (Text):

wget http://domain.com/file.tar.gz

do the following to specifically rename the download file as the intended file name with -O flag

Code (Text):

wget http://domain.com/file.tar.gz -O file.tar.gz

Verify wget update

To verify that wget has been updated type in SSH (after install, you need to logout of your ssh session and back in again to verify wget version)

Code (Text):

wget -V

First line of output has version number

Code (Text):

wget -V
GNU Wget 1.18 built on linux-gnu.

Background Info

• CVE-2016-4971 - Red Hat Customer Portal
• Bug 1343666 – CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect

 

Upgrading Centmin Mod Code to Latest Version

Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:

• New centmin.sh menu option 23 updating
• Centmin Mod Upgrades
• Cronjob Auto Updating Centmin Mod Code Guide

 

Yeah that is an option for CentOS 7 not sure for CentOS 6 due to lower GCC versions. For example for CentOS 6 source compile of wget 1.18 i had to use devtoolset-3 version of GCC 4.9.1 as CentOS 6 default GCC 4.4.7 version was too low for wget 1.18

edit: also libpsl is required dependency for fedora linked wget 1.18 and libpsl doesn't exist in CentOS 6. So probably best to source compile for now.

Example Outputs

Resulting output at end for CentOS 7 with GCC 4.8.5

Code (Text):

--------------------------------------------------------
wget -V
GNU Wget 1.18 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie +psl +ssl/openssl

Wgetrc:
    /usr/local/etc/wgetrc (system)
Locale:
    /usr/local/share/locale
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
    -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
    /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
    -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
Link:
    gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
    -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    -L /usr/local/lib -lpcre -lssl -lcrypto -lz -lpsl -lidn ftp-opie.o
    openssl.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
--------------------------------------------------------
wget 1.18 installed at /usr/local/bin/wget

Example run with CentOS 6.8 GCC 4.9.1 via devtoolset-3 to work around native GCC 4.4.7 which wget compile doesn't support.

Code (Text):

wget -V
GNU Wget 1.18 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
    /usr/local/etc/wgetrc (system)
Locale:
    /usr/local/share/locale
Compile:
    /opt/rh/devtoolset-3/root/usr/bin/gcc -DHAVE_CONFIG_H
    -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
    -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I
    /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall
    -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
    --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
Link:
    /opt/rh/devtoolset-3/root/usr/bin/gcc -I /usr/local/include
    -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
    -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
    -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre
    -lssl -lcrypto -lz -lidn -lrt ftp-opie.o openssl.o http-ntlm.o
    ../lib/libgnu.a

Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
--------------------------------------------------------
wget 1.18 installed at /usr/local/bin/wget

 

What's output of

Code (Text):

ls -lah /svr-setup/wget-1.18

 

strange it clearly exists

Code (Text):

-rw-r--r-- 1 root root 53K Jul 11 21:03 Makefile

grab the wget install log from /root/centminlogs/wget_source_install_${DT}.log where DT is timestamp and post to pastebin.com or gist.github.com the contents

 

made a slight revision to addons/wget.sh, so try again after updating your centmin mod 123.08stable or 123.09beta01 code

 

need to logout of your ssh session and back in. Thought i mentioned it but will add to above instructions

 

Code (Text):

wget -V

 

that's because wget.sh actually sources the /root/.bashrc file itself which calls the wget alias.. which is what the act of logging into ssh does everytime you log in

 

yes running addons/wget.sh would work

you might have ran into this bug which i fixed today Stable Branch - adding missing WGET_VERSION in centmin.sh for 123.08stable | Centmin Mod Community