[Tails-dev] [Bug-wget] Wget Sending Original IP !!
austinenglish at gmail.com
Fri Oct 2 13:54:16 CEST 2015
On Oct 2, 2015 4:50 AM, "intrigeri" <intrigeri at boum.org> wrote:
> Austin English wrote (07 Sep 2015 20:30:59 GMT) :
> > On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinenglish at gmail.com>
> >> Rebasing it was trivial (the conflict was on adding the test to the
> >> Makefile). It looks like upstream has a bug (they don't actually run
> >> the tests), but that's fixed in this patch.
> > Small correction, their build system changed, upstream does not have a
> > bug in that regard.
> Thanks again for requesting a CVE ID about it. The CVE folks have
> analyzed this in depth and concluded it is a Tails vulnerability, not
> a wget one. So we got our first CVE ID, it seems:
> ⇒ this won't get fixed via Debian security update, and we need to
> handle it on our side.
> Austin, given this, can you please give advice wrt. what's the easiest
> safe way to fix that problem in Tails? Can we do that on Tails/Wheezy
> with configuration only, or do we need to patch wget? Is it any
> different in Tails/Jessie, or with wget 1.16.3 that we could perhaps
> (Sorry, I've no time/energy at the moment to re-read the entire thread
> and the one it links to.)
> Also, any idea if other FTP clients we ship (at least Tor Browser and
> Nautilus) are affected by this problem?
> I'd like to see tickets on our Redmine track the known problem, and
> the research about more potential ones. If you don't feel like
> creating these tickets, let me know and I'll do it.
I'm on holiday for the next two weeks, so please create the tickets.
Afaict, it requires patching wget. The fix backports cleanly, the tests
don't (I've manually backported that).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Tails-dev