Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2026:20038-1

Опубликовано: 14 янв. 2026
Источник: suse-cvrf

Описание

Security update for wget2

This update for wget2 fixes the following issues:

Changes in wget2:

  • Update to release 2.2.1

    • Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
    • Fix remote buffer overflow in get_local_filename_real() [CVE-2025-69195 bsc#1255729]
    • Fix a redirect/mirror regression from 400713ca
    • Use the local system timestamp when requested via --no-use-server-timestamps
    • Prevent file truncation with --no-clobber
    • Improve messages about why URLs are not being followed
    • Fix metalink with -O/--output-document
    • Fix sorting of metalink mirrors by priority
    • Add --show-progress to improve backwards compatibility to wget
    • Fix buffer overflow in wget_iri_clone() after wget_iri_set_scheme()
    • Allow 'no_' prefix in config options
    • Use libnghttp2 for HTTP/2 testing
    • Set exit status to 8 on 403 response code
    • Fix convert-links
    • Fix --server-response for HTTP/1.1

  • Update to release 2.2.0

    • Don't truncate file when -c and -O are combined
    • Don't log URI userinfo to logs
    • Fix downloading multiple files via HTTP/2
    • Support connecting with HTTP/1.0 proxies
    • Ignore 1xx HTTP responses for HTTP/1.1
    • Disable TCP Fast Open by default
    • Fix segfault when OCSP response is missing
    • Add libproxy support

Список пакетов

openSUSE Leap 16.0
libwget4-2.2.1-bp160.1.1
wget2-2.2.1-bp160.1.1
wget2-devel-2.2.1-bp160.1.1

Ссылки

Описание

A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user's environment.

Затронутые продукты
openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1
openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1
openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1
Ссылки

Описание

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.

Затронутые продукты
openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1
openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1
openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1
Ссылки
Уязвимость openSUSE-SU-2026:20038-1