Play The Rolling Stones - (I Can't Get No) Satisfaction - Glastonbury 2013 (HD)

The video is the Rolling Stones singing (I Can’t Get No) Satisfaction, for those who can’t see the iframe.

We have another corker of a Linux bug to patch on all our systems this morning, this time in the nearly-ubiquitous GNU wget. In light of the fact all vulnerabilities need catchy names now, I’m dubbing this one #wgetNoSatisfaction. You’re welcome.


Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Wget 1.16 patches this. If you can’t update, enforce the --retr-symlinks option in the relevent place(s) for your system, such as:

# echo 'retr-symlinks=on' >> /usr/local/etc/wgetrc

From the Wget manpage:

Usually, when retrieving FTP directories recursively and a symbolic link is encountered, the linked-to file is not downloaded. Instead, a matching symbolic link is created on the local filesystem. The pointed-to file will not be downloaded unless this recursive retrieval would have encountered it separately and downloaded it anyway.

When --retr-symlinks is specified, however, symbolic links are traversed and the pointed-to files are retrieved. At this time, this option does not cause Wget to traverse symlinks to directories and recurse through them, but in the future it should be enhanced to do this.

As with Shellshock, FreeBSD is unaffected unless you’ve pulled wget from ports.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.