Debian Bug report logs - #409938
wget: missing a check for Subject Alternative Name (TLS cert.)

version graph

Package: wget; Maintainer for wget is Noël Köthe <noel@debian.org>; Source for wget is src:wget.

Reported by: Matt Swift <debian-bugs@mattswift.net>

Date: Tue, 6 Feb 2007 14:33:19 UTC

Severity: normal

Tags: fixed-upstream, upstream

Merged with 447266

Found in versions wget/1.10.2-2, wget/1.10.2-3

Fixed in version wget/1.13-1

Done: Noël Köthe <noel@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://savannah.gnu.org/bugs/index.php?20421

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#409938; Package wget. Full text and rfc822 format available.

Acknowledgement sent to Matt Swift <debian-bugs@mattswift.net>:
New Bug report received and forwarded. Copy sent to Noèl Köthe <noel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Swift <debian-bugs@mattswift.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wget: missing a check for Subject Alternative Name (TLS cert.)
Date: Tue, 06 Feb 2007 09:29:34 -0500
Package: wget
Version: 1.10.2-2
Severity: normal

When accessing an https server, wget does not appear to check the
Subject Alternative Name field of the server certificate and in cases
where wget is connecting to a name listed in that field, wget 
declines to connect to the server without the --no-check-certificate
option, which should not be necessary in this case.

A similar problem has been fixed in fetchmail, and Debian bug report
#201113 may contain useful information.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-corax-1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages wget depends on:
ii  libc6                       2.3.6.ds1-10 GNU C Library: Shared libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries

wget recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#409938; Package wget. Full text and rfc822 format available.

Acknowledgement sent to 409938@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>. Full text and rfc822 format available.

Message #10 received at 409938@bugs.debian.org (full text, mbox):

From: Noèl Köthe <noel@debian.org>
To: Matt Swift <debian-bugs@mattswift.net>, 409938@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#409938: wget: missing a check for Subject Alternative Name (TLS cert.)
Date: Mon, 09 Jul 2007 23:46:34 +0200
[Message part 1 (text/plain, inline)]
forwarded 409938 https://savannah.gnu.org/bugs/index.php?20421
tags 409938 + upstream
thanks

Am Dienstag, den 06.02.2007, 09:29 -0500 schrieb Matt Swift:

Hello Matt,

> When accessing an https server, wget does not appear to check the
> Subject Alternative Name field of the server certificate and in cases
> where wget is connecting to a name listed in that field, wget 
> declines to connect to the server without the --no-check-certificate
> option, which should not be necessary in this case.
> 
> A similar problem has been fixed in fetchmail, and Debian bug report
> #201113 may contain useful information.

I forwarded this to the wget bug tracking system.

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
[signature.asc (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to https://savannah.gnu.org/bugs/index.php?20421. Request was from Noèl Köthe <noel@debian.org> to control@bugs.debian.org. (Mon, 09 Jul 2007 21:48:06 GMT) Full text and rfc822 format available.

Tags added: upstream Request was from Noèl Köthe <noel@debian.org> to control@bugs.debian.org. (Mon, 09 Jul 2007 21:48:07 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Fri, 30 Oct 2009 11:03:59 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#409938; Package wget. (Fri, 10 Sep 2010 14:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthijs Kooijman <matthijs@stdin.nl>:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>. (Fri, 10 Sep 2010 14:57:06 GMT) Full text and rfc822 format available.

Message #21 received at 409938@bugs.debian.org (full text, mbox):

From: Matthijs Kooijman <matthijs@stdin.nl>
To: 409938@bugs.debian.org
Subject: Fixed in (unreleased) wget 1.12.1
Date: Fri, 10 Sep 2010 16:52:23 +0200
[Message part 1 (text/plain, inline)]
A patch for this bug was committed and should be included in the next
upstream release (though it has been committed nearly one year ago and
no release has happened since...)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#409938; Package wget. (Thu, 13 Jan 2011 13:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Samuel Tardieu <sam@rfc1149.net>:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>. (Thu, 13 Jan 2011 13:57:03 GMT) Full text and rfc822 format available.

Message #26 received at 409938@bugs.debian.org (full text, mbox):

From: Samuel Tardieu <sam@rfc1149.net>
To: 409938@bugs.debian.org
Subject: Re: Fixed in (unreleased) wget 1.12.1
Date: Thu, 13 Jan 2011 14:48:52 +0100
[Message part 1 (text/plain, inline)]
>
> A patch for this bug was committed and should be included in the next
> upstream release (though it has been committed nearly one year ago and
> no release has happened since...)
>
>
Since nothing seems to be moving, could a new Debian package be uploaded
with the corresponding fix? This behavior breaks many developer scripts when
running on Debian (in particular in conjunction with github).
[Message part 2 (text/html, inline)]

Forcibly Merged 409938 447266. Request was from Thorsten Glaser <tg@mirbsd.de> to control@bugs.debian.org. (Tue, 26 Apr 2011 11:12:10 GMT) Full text and rfc822 format available.

Reply sent to Noël Köthe <noel@debian.org>:
You have taken responsibility. (Fri, 12 Aug 2011 13:51:16 GMT) Full text and rfc822 format available.

Notification sent to Matt Swift <debian-bugs@mattswift.net>:
Bug acknowledged by developer. (Fri, 12 Aug 2011 13:51:16 GMT) Full text and rfc822 format available.

Message #33 received at 409938-close@bugs.debian.org (full text, mbox):

From: Noël Köthe <noel@debian.org>
To: 409938-close@bugs.debian.org
Subject: Bug#409938: fixed in wget 1.13-1
Date: Fri, 12 Aug 2011 13:49:12 +0000
Source: wget
Source-Version: 1.13-1

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:

wget_1.13-1.debian.tar.gz
  to main/w/wget/wget_1.13-1.debian.tar.gz
wget_1.13-1.dsc
  to main/w/wget/wget_1.13-1.dsc
wget_1.13-1_amd64.deb
  to main/w/wget/wget_1.13-1_amd64.deb
wget_1.13.orig.tar.gz
  to main/w/wget/wget_1.13.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 409938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 12 Aug 2011 15:34:52 +0200
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.13-1
Distribution: unstable
Urgency: low
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description: 
 wget       - retrieves files from the web
Closes: 215128 353326 402001 409938 502218 542145 563872 565942 581817 595538 597468 598731 607198 612450 624675 626438 635241
Changes: 
 wget (1.13-1) unstable; urgency=low
 .
   * new upstream release 1.13 from 2011-08-09
     - updated wget-doc-remove-usr-local-in-wget.texi,
       wget-fr.po-spelling-correction,
     - removed wget-de.po-remove-double-quote-signs (latest de.po),
       CVE-2010-2252 (included upstream), wget-zh_CN.po-translation-correction,
       fix-paramter-spelling-error-in-wget.texi, refresh-pofiles
     - disabled disable-SSLv2 for the first upload
       see https://savannah.gnu.org/bugs/?33840
     - includes latest po files. closes: Bug#607198
     - bugs fixed with this release by upstream:
     -- IDN support: wget www.köln.de works:) closes: Bug#542145
     -- wildcard documentation of -X
        closes: Bug#215128
     -- wget -O - $URL says `-' saved but there is no file -
        closes: Bug#353326
     -- 'wget -c -N' ignores timestamps
        closes: Bug#402001
     -- missing a check for Subject Alternative Name (TLS cert.)
        closes: Bug#409938
     -- wget segfaults when server returns empty HTTP response code
        closes: Bug#563872
     -- wget: -A/-R vs. -O
        closes: Bug#565942
     -- Unterminated C string in http_atotm()
        closes: Bug#581817
     -- don't use PATH_MAX (FTBFS on hurd)
        closes: Bug#595538
     -- info page points to not documented --cookies option
        closes: Bug#597468
     -- SIGPIPE signal: wget over ssh orphans itself on ctrl+c
        closes: Bug#598731
     -- wget --backup-converted does not work
        closes: Bug#624675
     -- --adjust-extension renames .htm files
        closes: Bug#626438
     -- wget: Invalid russian translation
        closes: Bug#502218
     -- wget: shows only first 3 IP addresses of hostname
        closes: Bug#612450
 .
   * debian/control correct spelling in description. closes: Bug#635241
   * debian/control replace libssl-dev by libgnutls-dev in build dependency
Checksums-Sha1: 
 3b30f2de20b8ef507575ddc1e5e205ea07139091 1050 wget_1.13-1.dsc
 4661e9450950aba193e9e98e614afeba03a3f1fc 2759395 wget_1.13.orig.tar.gz
 5a697c4887ca1b27356c2a31166792d74f9a6e22 21129 wget_1.13-1.debian.tar.gz
 dd4e6b394352edf6c41572caf5cc9e82b09bb4a1 758706 wget_1.13-1_amd64.deb
Checksums-Sha256: 
 bda095d42ed161247e8047a358f53a01e29b0b9d244bf28f09187f46ee376621 1050 wget_1.13-1.dsc
 4dd26f50ed49afecf9e661bc6ad194d1732d66653ae6aa9126b562b1870e17fc 2759395 wget_1.13.orig.tar.gz
 7a13d88b055183984eb1bae0b86666ac353320fb83d0c69e9600aa74b8e81e3c 21129 wget_1.13-1.debian.tar.gz
 b9b2909756cb9074ff746521c50ffd2e73674eaf139c6b8cbd24c6208682fde9 758706 wget_1.13-1_amd64.deb
Files: 
 43154482f9d71fab35a2be02aae36c1d 1050 web important wget_1.13-1.dsc
 d3698837e6a9567ca9be10f115989940 2759395 web important wget_1.13.orig.tar.gz
 6b89eb4f6856a7cb3446a66f77189c51 21129 web important wget_1.13-1.debian.tar.gz
 311c5a108555e1fb62f865b85a04bc63 758706 web important wget_1.13-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5FK0gACgkQ9/DnDzB9Vu1G3wCeJJTNT+Tq3wDBsx+X9S8epEHy
UIoAn350KNcAI0dYyvcMgt8oMB5Bk8Tv
=AYj+
-----END PGP SIGNATURE-----





Reply sent to Noël Köthe <noel@debian.org>:
You have taken responsibility. (Fri, 12 Aug 2011 13:51:18 GMT) Full text and rfc822 format available.

Notification sent to Roman Odaisky <to.roma.from.debbug@qwertty.com>:
Bug acknowledged by developer. (Fri, 12 Aug 2011 13:51:19 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 20 Sep 2011 07:42:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 17:12:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.