Arbitrary Symlink Access

Après avoir fait un upgrade, voici ce qu’on me retourne, et que mon anglais ne suffit pas à comprendre.

[quote]wget (1.13.4-3+deb7u2) stable-security; urgency=high

From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
From: Darshit Shah
Date: Sun, 07 Sep 2014 19:11:17 +0000
Subject: CVE-2014-4877: Arbitrary Symlink Access

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP. This commit changes the
default settings in Wget such that Wget no longer creates local symbolic
links, but rather traverses them and retrieves the pointed-to file in
such a retrieval.

The old behaviour can be attained by passing the --retr-symlinks=no
option to the Wget invokation command.

– Thorsten Alteholz Wed, 29 Oct 2014 19:00:14 +0100