[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU wget 1.18 released

From: Giuseppe Scrivano
Subject: GNU wget 1.18 released
Date: Thu, 09 Jun 2016 18:57:12 +0200


We are pleased to announce the new version of GNU wget.

This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names.

The new version is available for download here:

and the GPG detached signatures using the key E163E1EA:

To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:

Noteworthy changes:

* By default, on server redirects to a FTP resource, use the original
  URL to get the local file name. Close CVE-2016-4971.  This
  introduces a backward-incompatibility for HTTP->FTP redirects and
  any script that relies on the old  behaviour must use

* Check the HSTS file is not world-writable before using it.

* Parse <img srcset> attributes on a recursive download.

* Fix problem with SNI server names having trailing dot(s)

* New options --bind-dns-address and --dns-servers.

* When Wget is built with libiconv, it now converts non-ASCII URIs to
  the locale's codeset when it creates files.  The encoding of the
  remote files and URIs is taken from --remote-encoding, defaulting to
  UTF-8.  The result is that non-ASCII URIs and files downloaded via
  HTTP/HTTPS and FTP will have names on the local filesystem that
  correspond to their remote names.

Please report any problem you may experience to the address@hidden
mailing list.

For the maintainers of wget,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]