Ubuntu.com/usn: Referenced CVEs:
CVE-2010-2252


Description:
===========================================================Ubuntu Security Notice USN-982-1 September 02, 2010wget vulnerabilityCVE-2010-2252===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 8.04 LTSUbuntu 9.04Ubuntu 9.10Ubuntu 10.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: wget 1.10.2-1ubuntu1.2Ubuntu 8.04 LTS: wget 1.10.2-3ubuntu1.2Ubuntu 9.04: wget 1.11.4-2ubuntu1.2Ubuntu 9.10: wget 1.11.4-2ubuntu2.1Ubuntu 10.04 LTS: wget 1.12-1.1ubuntu2.1In general, a standard system update will make all the necessary changes.ATTENTION: This update changes previous behaviour by ignoring the filenamesupplied by the server during redirects. To re-enable previous behaviour,use the new --trust-server-names option.Details follow:It was discovered that Wget would use filenames provided by the server whenfollowing 3xx redirects. If a user or automated system were tricked intodownloading a file from a malicious site, a remote attacker could createthe file with an arbitrary name (e.g. .wgetrc), and possibly run arbitrarycode.





More...