ALAS-2014-442

Amazon Linux 1 (EOL) Security Advisory: ALAS-2014-442
Advisory Released Date: 2014-11-05
Advisory Updated Date: 2014-11-05

Severity: Medium

References: CVE-2014-4877
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Affected Packages:

wget

Issue Correction:
Run yum update wget to update your system.

New Packages:

i686:
    wget-debuginfo-1.16-1.13.amzn1.i686
    wget-1.16-1.13.amzn1.i686

src:
    wget-1.16-1.13.amzn1.src

x86_64:
    wget-debuginfo-1.16-1.13.amzn1.x86_64
    wget-1.16-1.13.amzn1.x86_64

Additional References

Red Hat: CVE-2014-4877

Mitre: CVE-2014-4877