From 3103a9e8e0e4721731fb4aae2c63dfcafe6169c3c9fd9d278284a553a1c28ca4 Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Tue, 13 Jan 2026 11:05:36 +0100 Subject: [PATCH 1/2] Update submodules from pool/wget2#1 and create patchinfo.20260113100344517680.93181000773252/_patchinfo --- .../_patchinfo | 46 +++++++++++++++++++ wget2 | 2 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 patchinfo.20260113100344517680.93181000773252/_patchinfo diff --git a/patchinfo.20260113100344517680.93181000773252/_patchinfo b/patchinfo.20260113100344517680.93181000773252/_patchinfo new file mode 100644 index 0000000..9c992fa --- /dev/null +++ b/patchinfo.20260113100344517680.93181000773252/_patchinfo @@ -0,0 +1,46 @@ + + + VUL-0: CVE-2025-69195: wget2: memory corruption and crash via filename sanitization logic with attacker-controlled URLs + + VUL-0: CVE-2025-69194: wget2: arbitrary file write via Metalink path traversal + jengelh + important + security + Security update for wget2 + This update for wget2 fixes the following issues: + +Changes in wget2: + +- Update to release 2.2.1 + * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728] + * Fix remote buffer overflow in get_local_filename_real() + [CVE-2025-69195 bsc#1255729] + * Fix a redirect/mirror regression from 400713ca + * Use the local system timestamp when requested via + --no-use-server-timestamps + * Prevent file truncation with --no-clobber + * Improve messages about why URLs are not being followed + * Fix metalink with -O/--output-document + * Fix sorting of metalink mirrors by priority + * Add --show-progress to improve backwards compatibility to wget + * Fix buffer overflow in wget_iri_clone() after + wget_iri_set_scheme() + * Allow 'no_' prefix in config options + * Use libnghttp2 for HTTP/2 testing + * Set exit status to 8 on 403 response code + * Fix convert-links + * Fix --server-response for HTTP/1.1 + +- Update to release 2.2.0 + * Don't truncate file when -c and -O are combined + * Don't log URI userinfo to logs + * Fix downloading multiple files via HTTP/2 + * Support connecting with HTTP/1.0 proxies + * Ignore 1xx HTTP responses for HTTP/1.1 + * Disable TCP Fast Open by default + * Fix segfault when OCSP response is missing + * Add libproxy support + + wget2 + + diff --git a/wget2 b/wget2 index f4e4440..a444330 160000 --- a/wget2 +++ b/wget2 @@ -1 +1 @@ -Subproject commit f4e4440ab063df9983be5187ba94b089da24011832ab13b208b16670249ecea9 +Subproject commit a444330efc9a196972e669af33803fb70dc13a402451c48e560fa2c55d8dd06d -- 2.51.1 From 2db914151fb9d6f5ca25424c7f9681730b7f52841b3a7a1f43ccf44dbe5e2814 Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Tue, 13 Jan 2026 11:17:26 +0100 Subject: [PATCH 2/2] Update patchinfo.20260113100344517680.93181000773252/_patchinfo removed --- patchinfo.20260113100344517680.93181000773252/_patchinfo | 1 - 1 file changed, 1 deletion(-) diff --git a/patchinfo.20260113100344517680.93181000773252/_patchinfo b/patchinfo.20260113100344517680.93181000773252/_patchinfo index 9c992fa..781fc24 100644 --- a/patchinfo.20260113100344517680.93181000773252/_patchinfo +++ b/patchinfo.20260113100344517680.93181000773252/_patchinfo @@ -42,5 +42,4 @@ Changes in wget2: * Add libproxy support wget2 - -- 2.51.1