patchinfo.20260113100344517680.93181000773252/_patchinfo

@@ -0,0 +1,45 @@
+<patchinfo>
+  <issue tracker="cve" id="2025-69195"/>
+  <issue tracker="bnc" id="1255729">VUL-0: CVE-2025-69195: wget2: memory corruption and crash via filename sanitization logic with attacker-controlled URLs</issue>
+  <issue tracker="cve" id="2025-69194"/>
+  <issue tracker="bnc" id="1255728">VUL-0: CVE-2025-69194: wget2: arbitrary file write via Metalink path traversal</issue>
+  <packager>jengelh</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for wget2</summary>
+  <description>This update for wget2 fixes the following issues:
+
+Changes in wget2:
+
+- Update to release 2.2.1
+  * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
+  * Fix remote buffer overflow in get_local_filename_real()
+    [CVE-2025-69195 bsc#1255729]
+  * Fix a redirect/mirror regression from 400713ca
+  * Use the local system timestamp when requested via
+    --no-use-server-timestamps
+  * Prevent file truncation with --no-clobber
+  * Improve messages about why URLs are not being followed
+  * Fix metalink with -O/--output-document
+  * Fix sorting of metalink mirrors by priority
+  * Add --show-progress to improve backwards compatibility to wget
+  * Fix buffer overflow in wget_iri_clone() after
+    wget_iri_set_scheme()
+  * Allow 'no_' prefix in config options
+  * Use libnghttp2 for HTTP/2 testing
+  * Set exit status to 8 on 403 response code
+  * Fix convert-links
+  * Fix --server-response for HTTP/1.1
+
+- Update to release 2.2.0
+  * Don't truncate file when -c and -O are combined
+  * Don't log URI userinfo to logs
+  * Fix downloading multiple files via HTTP/2
+  * Support connecting with HTTP/1.0 proxies
+  * Ignore 1xx HTTP responses for HTTP/1.1
+  * Disable TCP Fast Open by default
+  * Fix segfault when OCSP response is missing
+  * Add libproxy support
+</description>
+  <package>wget2</package>
+</patchinfo>