Debian Security Advisory

DSA-4195-1 wget -- security update

Date Reported:
08 May 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 898076.
In Mitre's CVE dictionary: CVE-2018-0494.
More information:

Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values.

For the oldstable distribution (jessie), this problem has been fixed in version 1.16-1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2.

We recommend that you upgrade your wget packages.

For the detailed security status of wget please refer to its security tracker page at: