Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: Austin English
CC: The Tails public development discussion list
Oggetto: Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!
Hi,

Austin English wrote (07 Sep 2015 20:30:59 GMT) :
> On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinenglish@???> wrote:
>> Rebasing it was trivial (the conflict was on adding the test to the
>> Makefile). It looks like upstream has a bug (they don't actually run
>> the tests), but that's fixed in this patch.


> Small correction, their build system changed, upstream does not have a
> bug in that regard.


Thanks again for requesting a CVE ID about it. The CVE folks have
analyzed this in depth and concluded it is a Tails vulnerability, not
a wget one. So we got our first CVE ID, it seems:

http://www.openwall.com/lists/oss-security/2015/10/01/10

⇒ this won't get fixed via Debian security update, and we need to
handle it on our side.

Austin, given this, can you please give advice wrt. what's the easiest
safe way to fix that problem in Tails? Can we do that on Tails/Wheezy
with configuration only, or do we need to patch wget? Is it any
different in Tails/Jessie, or with wget 1.16.3 that we could perhaps
backport?

(Sorry, I've no time/energy at the moment to re-read the entire thread
and the one it links to.)

Also, any idea if other FTP clients we ship (at least Tor Browser and
Nautilus) are affected by this problem?

I'd like to see tickets on our Redmine track the known problem, and
the research about more potential ones. If you don't feel like
creating these tickets, let me know and I'll do it.

Cheers,
--
intrigeri