Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!

Delete this message

Reply to this message
Autore: Austin English
Data:  
To: intrigeri
CC: The Tails public development discussion list
Oggetto: Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!
On Oct 2, 2015 4:50 AM, "intrigeri" <intrigeri@???> wrote:
>
> Hi,
>
> Austin English wrote (07 Sep 2015 20:30:59 GMT) :
> > On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinenglish@???>

wrote:
> >> Rebasing it was trivial (the conflict was on adding the test to the
> >> Makefile). It looks like upstream has a bug (they don't actually run
> >> the tests), but that's fixed in this patch.
>
> > Small correction, their build system changed, upstream does not have a
> > bug in that regard.
>
> Thanks again for requesting a CVE ID about it. The CVE folks have
> analyzed this in depth and concluded it is a Tails vulnerability, not
> a wget one. So we got our first CVE ID, it seems:
>
> http://www.openwall.com/lists/oss-security/2015/10/01/10
>
> ⇒ this won't get fixed via Debian security update, and we need to
> handle it on our side.
>
> Austin, given this, can you please give advice wrt. what's the easiest
> safe way to fix that problem in Tails? Can we do that on Tails/Wheezy
> with configuration only, or do we need to patch wget? Is it any
> different in Tails/Jessie, or with wget 1.16.3 that we could perhaps
> backport?
>
> (Sorry, I've no time/energy at the moment to re-read the entire thread
> and the one it links to.)
>
> Also, any idea if other FTP clients we ship (at least Tor Browser and
> Nautilus) are affected by this problem?
>
> I'd like to see tickets on our Redmine track the known problem, and
> the research about more potential ones. If you don't feel like
> creating these tickets, let me know and I'll do it.
>
> Cheers,
> --
> intrigeri


I'm on holiday for the next two weeks, so please create the tickets.

Afaict, it requires patching wget. The fix backports cleanly, the tests
don't (I've manually backported that).