Accepting request 661869 from home:AndreasStieger:branches:network:utilities

GNU wget 1.20.1 CVE-2018-20483 (bsc#1120382) OBS-URL: https://build.opensuse.org/request/show/661869 OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=93
2018-12-28 20:53:28 +00:00 · 2018-12-28 20:53:28 +00:00 · 161aa5f0fe
commit 161aa5f0fe
parent ce38b4661c
7 changed files with 1047 additions and 1206 deletions
--- a/wget-1.20.1.tar.gz
+++ b/wget-1.20.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b783b390cb571c837b392857945f5a1f00ec6b043177cc42abb8ee1b542ee1b3
+size 4392853
--- a/wget-1.20.1.tar.gz.sig
+++ b/wget-1.20.1.tar.gz.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEHLJ9vJhhSy1YQWRtCDAttqJnBCgFAlwj4MMACgkQCDAttqJn
+BChfEg/+IV6d6IIG/UdNHZmw9Zx/GVKJ+kmCGBtGAWYV1/IyTqlsOHiP1d7flTHy
+oJE2OJ4tLt0v8/BOG739bRPR2CbrqDSxloIc0nxpG5aKGd7qapB/R8kDBCALoAvU
+Hn/eQalTPQ01mdlAbTt/1PZm0gg3nlKK3SQeSuS5x/TKW1VeUzAniUkV3QzWLlBI
+IMgXyJZHa9SQcs1O+z7P4Av31eUV7HFh209Sy1DB7fOoox1bplWf1vi8GiB3Fzav
+xVVgrqfIw7Y6piKGgyx91lj2/bucNzE+Uci87l0baBPedH0p8QqObVzwXfP77rd1
+lLWNWCfgjXsytalUQehIdBoNG4Axy6Xv8Fb0DsclS1mt1Vp1VD5/tZlm7657eu3a
+I/9RTDkQJ81VmTLdN4yhJi62a3EAWd378WnXzE0OTd6ORIh5Gl69bX7WL1xyh5NO
+7kI3+VUYqnQmlzxl3m2BMA0/dgGUU6UIFVSWxdWJ1X6d6IMc/TotjTTxSpQlf5jD
+78aGBDezkgrxQ/alqOXEPwsbCj+XraZ+OLwXOB/lh359g7yICDWE6ky9Cp9KeKam
+JrlQ/z8eDEIvQXPjk451LqNo694T73G2b7bC16/epUjJ9z1ftEuvefrBemBuLuzu
+5YqBcdQ3bxcC0zCoUilf0TiXUSwVS+QFpaScMmrTV2comKs/HF4=
+=ztII
+-----END PGP SIGNATURE-----
--- a/wget-1.20.tar.gz
+++ b/wget-1.20.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8a057925c74c059d9e37de63a63b450da66c5c1c8cef869a6df420b3bb45a0cf
-size 4474641
--- a/wget-1.20.tar.gz.sig
+++ b/wget-1.20.tar.gz.sig
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAlwAcjEACgkQZP+QqujH
-Cvl1xxAAi/0j2UjNjOftXX1LFCKn+6Q5//T9iurjUZzpcLc7K7eiTSfI9TIpXzU9
-mWbvs6OiXbM8x/l4wj0gkV6OugpKBbAMagA9VT0vbFAetadWJE435U+ghruhz97e
-aKOVyTcOQNYHpHpw50bnmv2vyLCeFctE9eA6f7d88X7l27Et2QmnVyqGfhULGROX
-TFRY6LEqS5tNioL5r70j/rogf/Nb/ZEcXSWMbB/Y0Hold+IbaZn7qYtgP/lBFEGk
-UlX2mpPJuwktYGV+wJNlz0JwCbLCXsM9oTij29Kn1SujJ0QLfz43VqUbZK2vX8wu
-hRXqtqyq/GeWECQ4o/um08PEYNDW/BnucHX8/abP+I2NxVxJOSD9+LNsv1Yu2wnH
-aN9WPJ8Kts25nM0XqqUPgfPPJcuj/YNw9KBmA32VXGdP0RdsLZG2TtyNtFsUH7PQ
-OSXbUNEVuXECaRgMcZ6Jd251rOjROScBD+rSfsepfK6XsgnlweXD5LnDX6FBnigL
-P8P15VdM68jPLzwrwByDi+kjd59ojzu1Wc28WbX10K9jFx3OOy6RKJ0ULqNulNk9
-b4UXdbAmiXlDIN3FDN3fOCZzPGqcbcg21GoU2AvKfs9EKKVlIUgbxVfAcDtogn3h
-b1CetPZWgl0tPS0TaGQvnvDI1ftdUt3WoCqmXuoWeKdHnwmeqbY=
-=y9uB
-----END PGP SIGNATURE-----
--- a/wget.changes
+++ b/wget.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Dec 28 20:51:04 UTC 2018 - astieger@suse.com
+
+- GNU wget 1.20.1:
+  * --xattr is no longer default since it introduces privacy issues
+  * --xattr saves the Referer as scheme/host/port,
+    user/pw/path/query/fragment are no longer saved to prevent
+    privacy issues
+  * --xattr saves the Original URL without user/password to prevent
+    privacy issues
+  * all of the above fix CVE-2018-20483 (bsc#1120382)
+
 -------------------------------------------------------------------
 Fri Nov 30 14:02:43 UTC 2018 - josef.moellers@suse.com

--- a/wget.keyring
+++ b/wget.keyring
--- a/wget.spec
+++ b/wget.spec
@ -12,18 +12,18 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


 %bcond_with	regression_tests
 Name:           wget
-Version:        1.20
+Version:        1.20.1
 Release:        0
 Summary:        A Tool for Mirroring FTP and HTTP Servers
-License:        GPL-3.0+
+License:        GPL-3.0-or-later
 Group:          Productivity/Networking/Web/Utilities
-Url:            https://www.gnu.org/software/wget/
+URL:            https://www.gnu.org/software/wget/
 Source:         https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz
 Source1:        https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz.sig
 Source2:        https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=wget&download=1#/wget.keyring
@ -105,7 +105,8 @@ make %{?_smp_mflags} -C tests/ check
 %install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz

 %files -f %{name}.lang
-%doc AUTHORS COPYING NEWS README MAILING-LIST
+%license COPYING
+%doc AUTHORS NEWS README MAILING-LIST
 %doc doc/sample.wgetrc util/rmold.pl
 %{_mandir}/*/wget*
 %{_infodir}/wget*