url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. Reference: https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html Upstream patch: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace
Created wget tracking bugs for this issue: Affects: fedora-all [bug 2292840] Created wget2 tracking bugs for this issue: Affects: epel-all [bug 2292839] Affects: fedora-all [bug 2292841]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:4998 https://access.redhat.com/errata/RHSA-2024:4998
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5299 https://access.redhat.com/errata/RHSA-2024:5299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6208 https://access.redhat.com/errata/RHSA-2024:6208
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6192 https://access.redhat.com/errata/RHSA-2024:6192
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6438 https://access.redhat.com/errata/RHSA-2024:6438