Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!

Delete this message

Reply to this message
Author: Austin English
Date:  
To: intrigeri
CC: The Tails public development discussion list
Subject: Re: [Tails-dev] [Bug-wget] Wget Sending Original IP !!
On Fri, Oct 2, 2015 at 6:54 AM, Austin English <austinenglish@???> wrote:
> On Oct 2, 2015 4:50 AM, "intrigeri" <intrigeri@???> wrote:
>>
>> Hi,
>>
>> Austin English wrote (07 Sep 2015 20:30:59 GMT) :
>> > On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinenglish@???>
>> > wrote:
>> >> Rebasing it was trivial (the conflict was on adding the test to the
>> >> Makefile). It looks like upstream has a bug (they don't actually run
>> >> the tests), but that's fixed in this patch.
>>
>> > Small correction, their build system changed, upstream does not have a
>> > bug in that regard.
>>
>> Thanks again for requesting a CVE ID about it. The CVE folks have
>> analyzed this in depth and concluded it is a Tails vulnerability, not
>> a wget one. So we got our first CVE ID, it seems:
>>
>> http://www.openwall.com/lists/oss-security/2015/10/01/10
>>
>> ⇒ this won't get fixed via Debian security update, and we need to
>> handle it on our side.
>>
>> Austin, given this, can you please give advice wrt. what's the easiest
>> safe way to fix that problem in Tails? Can we do that on Tails/Wheezy
>> with configuration only, or do we need to patch wget? Is it any
>> different in Tails/Jessie, or with wget 1.16.3 that we could perhaps
>> backport?
>>
>> (Sorry, I've no time/energy at the moment to re-read the entire thread
>> and the one it links to.)
>>
>> Also, any idea if other FTP clients we ship (at least Tor Browser and
>> Nautilus) are affected by this problem?
>>
>> I'd like to see tickets on our Redmine track the known problem, and
>> the research about more potential ones. If you don't feel like
>> creating these tickets, let me know and I'll do it.
>>
>> Cheers,
>> --
>> intrigeri
>
> I'm on holiday for the next two weeks, so please create the tickets.
>
> Afaict, it requires patching wget. The fix backports cleanly, the tests
> don't (I've manually backported that).


wget/CVE-2015-7665: https://labs.riseup.net/code/issues/10364
Investigate nautilus/Tor Browser: https://labs.riseup.net/code/issues/10365

--
-Austin