oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

wget2-2.2.1 released with security fixes

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 6 Jan 2026 18:21:38 -0800
https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00000.html announced
release 2.2.1 of GNU Wget2, the successor of GNU Wget.

The announcement listed these noteworthy changes:


 * Fix file overwrite issue with metalink
 * Fix remote buffer overflow in get_local_filename_real()
 * Fix a redirect/mirror regression from 400713ca

 * Use the local system timestamp when requested via --no-use-server-timestamps

 * Prevent file truncation with --no-clobber
 * Improve messages about why URLs are not being followed
 * Fix metalink with -O/--output-document
 * Fix sorting of metalink mirrors by priority
 * Add --show-progress to improve backwards compatibility to wget
 * Fix buffer overflow in wget_iri_clone() after wget_iri_set_scheme()
 * Allow 'no_' prefix in config options
 * Use libnghttp2 for HTTP/2 testing
 * Fix WolfSSL build issue if SSLv2 isn't built into the library
 * Set exit status to 8 on 403 response code
 * Fix convert-links
 * Fix --server-response for HTTP/1.1
 * Fix anchor links in README.md for Gitlab
 * Fix html examples in the documentation
 * Improvements on code, docs and CI/testing


The first bullet appears to have been assigned CVE-2025-69194:
  https://access.redhat.com/security/cve/cve-2025-69194
and the second bullet appears to have been assigned CVE-2025-69195:
  https://access.redhat.com/security/cve/cve-2025-69195

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: