It appears that the buffer overflow issue referred to is the same in
both 1.20.2 and 1.20.3 (they had to fix the fix).
Upstream changelog:
* Changes in Wget 1.20.3
** Fixed a buffer overflow vulnerability
* Changes in Wget 1.20.2
** NTLM authentication will retry under certain cases
** Fixed a buffer overflow vulnerability
Upstream changelog:
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues.
* Changes in Wget 1.20
** Add new option `--retry-on-host-error` to treat local errors as
transient and hence Wget will retry to download the file after
a brief waiting period.
** Fixed multiple potential resource leaks as found by static analysis
** Wget will now not create an empty wget-log file when running with
-q and -b switches together
** When compiled using the GnuTLS >= 3.6.3, Wget now has support for TLSv1.3
** Now there is support for using libpcre2 for regex pattern matching
** When downloading over FTP recursively, one can now use the
--{accept,reject}-regex switches to fine-tune the downloaded files
** Building Wget from the git sources now requires autoconf 2.63 or above.
Building from the Tarballs works as it used to.
* Changes in Wget 1.19.5
* Fix cookie injection (CVE-2018-0494)
* Enable TLS1.3 with recent OpenSSL environment
* New option --ciphers to set GnuTLS / OpenSSL ciphers directly
* Updated CSS grammar to CSS 2.2
* Fixed several memleaks found by OSS-Fuzz
* Fixed several buffer overflows found by OSS-Fuzz
* Fixed several integer overflows found by OSS-Fuzz
* Several minor bug fixes
* Changes in Wget 1.19.4
* A major bug that caused GZip'ed pages to never be decompressed has been fixed
* Support for Content-Encoding and Transfer-Encoding have been marked as
experimental and disabled by default
* Changes in Wget 1.19.3
* Prevent erroneous decompression of .gz and .tgz files with broken servers
* Added support for HTTP 308 Permanent Redirect response
* Fix a segfault in some cases where the Content-Type header is not sent
* Support OpenSSL 1.1 builds without using deprecated features
* Fix netrc file detection on Windows
* Several minor bug fixes
* Changes in Wget 1.19.2
* Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling)
* Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling)
* New option --compression for gzip Content-Encoding
* New option --[no]-netrc to control .netrc parsing
* Added GNU extensions to .netrc parsing
* Improved IDNA 2003 compatibility
* Fix VPATH issues
* Improved and extended the test suite
* Support Wayback Machine's X-Archive-Orig-last-modified
* Several bug fixes
Since wget-1.19, libidn2 is needed for the IDN/IRIs support. Adjust
the `idn' package option logic to reflect that and explicitly ask
for it via CONFIGURE_ARGS. This should also fix the build without
the `idn' option selected pointed out by john heasley via PR pkg/52726.
Bump PKGREVISION
Changelog:
* Changes in Wget 1.19.1
* Fix bugs, a regression, portability/build issues
* Add new option --retry-on-http-error
* Changes in Wget 1.19
* New option --use-askpass=COMMAND. Fetch user/password by calling
an external program.
* Use IDNA2008 (+ TR46 if available) through libidn2
* When processing a Metalink header, --metalink-index=<number> allows
to process the header's application/metalink4+xml files.
* When processing a Metalink file, --trust-server-names enables the
use of the destination file names specified in the Metalink file,
otherwise a safe destination file name is computed.
* When processing a Metalink file, enforce a safe destination path.
Remove any drive letter prefix under w32, i.e. 'C:D:file'. Call
libmetalink's metalink_check_safe_path() to prevent absolute,
relative, or home paths:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* When processing a Metalink file, --directory-prefix=<prefix> sets
the top of the retrieval tree to prefix for Metalink downloads.
* When processing a Metalink file, reject downloaded files which don't
agree with their own metalink:size value:
https://tools.ietf.org/html/rfc5854#section-4.2.16
* When processing a Metalink file, with --continue resume partially
downloaded files and keep fully downloaded files even if they fail
the verification.
* When processing a Metalink file, create the parent directories of a
"path/file" destination file name:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1https://tools.ietf.org/html/rfc5854#section-4.2.8.3
* On a recursive download, append a .tmp suffix to temporary files
that will be deleted after being parsed, and create them
readable/writable only by the owner.
* New make target 'check-valgrind'
* Fix several bugs
* Fix compatibility issues
* Changes in Wget 1.18
* By default, on server redirects to a FTP resource, use the original
URL to get the local file name. Close CVE-2016-4971. This
introduces a backward-incompatibility for HTTP->FTP redirects and
any script that relies on the old behaviour must use
--trust-server-names.
* Check the HSTS file is not world-writable before using it.
* Parse <img srcset> attributes on a recursive download.
* Fix problem with SNI server names having trailing dot(s)
* New options --bind-dns-address and --dns-servers.
* When Wget is built with libiconv, it now converts non-ASCII URIs to
the locale's codeset when it creates files. The encoding of the
remote files and URIs is taken from --remote-encoding, defaulting to
UTF-8. The result is that non-ASCII URIs and files downloaded via
HTTP/HTTPS and FTP will have names on the local filesystem that
correspond to their remote names.
* Changes in Wget 1.17.1
* Fix compile error when IPv6 is disabled or SSL is not present.
* Fix HSTS memory leak.
* Fix progress output in non-C locales.
* Fix SIGSEGV when -N and --content-disposition are used together.
* Add --check-certificate=quiet to tell wget to not print any warning about
invalid certificates.
* Changes in Wget 1.17
** Remove FTP passive to active fallback due to privacy concerns.
** Add support for --if-modified-since.
** Add support for metalink through --input-metalink and --metalink-over-http.
** Add support for HSTS through --hsts and --hsts-file.
** Add option to restrict filenames under VMS.
** Add support for --rejected-log which logs to a separate file the reasons why
URLs are being rejected and some context around it.
** Add support for FTPS.
** Do not download/save file on error when --spider enabled
** Add --convert-file-only option. This option converts only the
filename part of the URLs, leaving the rest of the URLs untouched.
* Changes in Wget 1.16.2
** Native uuid generation on Windows
** Fix build on Solaris
** Allow progress bar on stderr when -o is used
** Accept 5-digit port numbers in FTP EPSV responses.
** Support older versions of flex.
** Updated translations.
* Changes in Wget 1.16.1
** Add --enable-assert configure option.
** Use pkg-config to check for libraries presence.
** Do not limit --secure-protocol=auto|pfs to TLSv1.0.
** Add --secure-protocol=TLSv1_1|TLSv1_2 .
** Full C89 source code compliance.
** Select and use the most secure authentication scheme with HTTP connections.
** Fix issues with turkish locales.
** Handle 504 Gateway Timeout.
** New option --crl-file to load Certificate Revocation Lists.
** Add valgrind support to tests suite.
** Fix an off-by-one problem in the progress bar (introduced in 1.16).
changes:
** No longer create local symbolic links by default.
Closes CVE-2014-4877.
** Use libpsl for verifying cookie domains. (not in pkgsrc yet)
** Default progress bar output changed.
** Introduce --show-progress to force display the progress bar.
** Introduce --no-config. The wgetrc files will not be read.
** Introduce --start-pos to allow starting downloads from a
specified position.
** Fix a problem with ISA Server Proxy and keep-alive connections.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
* Changes in Wget 1.15
** Add support for --method.
** Add support for file names longer than MAX_FILE.
** Support FTP listing for the FTP Server on Windows Server 2008 R2.
** Fix a regression when -c and --content-disposition are used together.
** Support shorthand URLs in an input file.
** Fix -c with servers that don't specify a content-length.
** Add support for MD5-SESS
** Do not fail on non fatal GNU TLS alerts during handshake.
** Add support for --https-only. When used wget will follow only
HTTPS links in recursive mode.
** Support Perfect-Forward Secrecy in --secure-protocol.
** Fix a problem with some IRI links that are not followed when contained in a
HTML document.
** Support some FTP servers that return an empty list with "LIST -a".
** Specify Host with the HTTP CONNECT method.
** Use the correct HTTP method on a redirection.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
* Changes in Wget 1.14
** Add support for content-on-error. It allows to store the HTTP
payload on 4xx or 5xx errors.
** Add support for WARC files.
** Fix a memory leak problem in the GNU TLS backend.
** Autoreconf works again for distributed tarballs.
** Print some diagnostic messages to stderr not to stdout.
** Report stdout close errors.
** Accept the --report-speed option.
** Enable client certificates when GNU TLS is used.
** Add support for TLS Server Name Indication.
** Accept the arguments --accept-reject and --reject-regex.
** The GNU TLS backend honors correctly the timeout value.
** Add support for RFC 2617 Digest Access Authentication.
* Remove ssl option, and add gnutls and openssl options.
The default is openssl like before.
* All security patches are included in upstream's tar ball.
* Remove ac_cv_func_sigsetjmp=yes line, because not defined now.
Tested on NetBSD/i386 4.0.1, 5.1 5.99.56.
Changelog:
* Changes in Wget 1.13.4
** Now --version and --help work again.
** Fix a build error on solaris 10 sparc.
** Now --timestamping and --continue work well together.
** Return a network failure when FTP downloads fail and --timestamping
is specified.
* Changes in Wget 1.13.3
** Support HTTP/1.1
** Now by default the GNU TLS library for secure connections, instead of
OpenSSL.
** Fix some portability issues.
** Handle properly malformed status line in a HTTP response.
** Ignore zero length domains in $no_proxy.
** Set new cookies after an authorization failure.
** Exit with failure if -k is specified and -O is not a regular file.
** Cope better with unclosed html tags.
** Print diagnostic messages to stderr, not stdout.
** Do not use an additional HEAD request when --content-disposition is used,
but use directly GET.
** Report the average transfer speed correctly when multiple URL's are specified
and -c influences the transferred data amount.
** GNU TLS backend works again.
** Now --timestamping and --continue works well together.
** By default, on server redirects, use the original URL to get the
local file name. Close CVE-2010-2252. This introduces a
backward-incompatibility; any script that relies on the old
behaviour must use --trust-server-names.
** Fix a problem when -k is used and some URLs are specified trough
CSS.
** Convert correctly URLs that need to be encoded to local files when following
links.
** Use persistent connections with proxies supporting them.
** Print the total download time as part of the summary for recursive downloads.
** Now it is possible to specify a different startup configuration file trough
the --config option.
** Fix an infinite loop with the error '<filename> has sprung into existence'
on a network error and -nc is used.
** Now --adjust-extension does not modify the file extension if the file ends
in .htm.
** Support HTTP/1.1 307 redirects keep request method.
** Now --no-parent doesn't fetch undesired files if HTTP and HTTPS are used
by the same host on different pages.
** Do not attempt to remove the file if it is not in the accept rules but
it is the output destination file.
** Introduce `show_all_dns_entries' to print all IP addresses corresponding to
a DNS name when it is resolved.
below).
** Mailing list MOVED to bug-wget@gnu.org
** SECURITY FIX: It had been possible to trick Wget into accepting
SSL certificates that don't match the host name, through the trick of
embedding NUL characters into the certs' common name. Fixed by Joao
Ferreira <joao@joaoff.com>.
** Added support for CSS. This includes:
- Parsing links from CSS files, and from CSS content found in HTML
style tags and attributes.
- Supporting conversion of links found within CSS content, when
--convert-links is specified.
- Ensuring that CSS files end in the ".css" filename extension,
when --convert-links is specified.
CSS support in Wget is thanks to Ted Mielczarek
<ted.mielczarek@gmail.com>.
** Added support for Internationalized Resource Identifiers (IRIs, RFC
3987). When support is enabled (requires libidn and libiconv), links
with non-ASCII bytes are translated from their source encoding to UTF-8
before percent-encoding. IRI support was added by Saint Xavier
<wget@sxav.eu>, as his project for the Google Summer of Code.
** Wget now provides more sensible exit status codes when downloads
don't proceed as expected (see the manual).
** --default-page option (and associated wgetrc command) added to
support alternative default names for index.html.
** --ask-password option (and associated wgetrc command) added to
support password prompts at the console.
** The --input-file option now also handles retrieving links from
an external file.
** The output generated by the --version option now includes
information on how it was built, and the set of configure-time options
that were selected.
** --html-extension has been renamed to --adjust-extension, to reflect
the fact that it now also applies to CSS content. --html-extension is
still acceptable, but is now deprecated.
** An "ascii" specifier is now accepted by --restrict-file-names, which
forces the percent-encoding of all non-ASCII bytes
** Several previously existing, but undocumented .wgetrc options are
now documented: save_headers, spider, and user_agent,
auth_no_challenge, and keep_session_cookies. Also added documentation
for the "lowercase" and "uppercase" values for --restrict-file-names, which had been present since Wget 1.11.
* Changes in Wget 1.11.4
** Fixed an issue (apparently a regression) where -O would refuse to
download when -nc was given, even though the file didn't exist.
** Fixed a situation where Wget could abort with --continue if the
remote server gives a content-length of zero when the file exists
locally with content.
** Fixed a crash on some systems, due to Wget casting a pointer-to-long
to a pointer-to-time_t.
** Translation updates for Catalan.
* Changes in Wget 1.11.3
** Downgraded -N with -O to a warning, rather than an error.
* Changes in Wget 1.11.2
** Fixed a problem in authenticating over HTTPS through a proxy.
(Regression in 1.11 over 1.10.2.)
** The combination of -r or -p with -O, which was disallowed in 1.11,
has been downgraded to a warning in 1.11.2. (-O and -N, which was never
meaningful, is still an error.)
** Further improvements to progress bar displays in non-English locales
(too many spaces could be inserted, causing the display to scroll).
** Successive invocations of Wget on FTP URLS, with --no-remove-listing
and --continue, was causing Wget to append, rather than replace,
information in the .listing file, and thereby download the same files
multiple times. This has been fixed in 1.11.2.
** Wget 1.11 no longer allowed ".." to persist at the beginning of URLs,
for improved conformance with RFC 3986. However, this behavior presents
problems for some FTP setups, and so they are now preserved again, for
FTP URLs only.
