Security update for wget SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0057-1 Final 1 1 2019-03-23T10:47:55Z current 2019-03-23T10:47:55Z 2019-03-23T10:47:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for wget This update for wget fixes the following issues: Security issue fixed: - CVE-2018-20483: Fixed an information disclosure through file metadata (bsc#1120382) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-57 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00020.html E-Mail link for openSUSE-SU-2019:0057-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1120382 SUSE Bug 1120382 https://www.suse.com/security/cve/CVE-2018-20483/ SUSE CVE CVE-2018-20483 page openSUSE Leap 15.0 wget-1.19.5-lp150.2.3.1 wget-1.19.5-lp150.2.3.1 as a component of openSUSE Leap 15.0 set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. CVE-2018-20483 openSUSE Leap 15.0:wget-1.19.5-lp150.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00020.html https://www.suse.com/security/cve/CVE-2018-20483.html CVE-2018-20483 https://bugzilla.suse.com/1120382 SUSE Bug 1120382