[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget-1.20.1 released [stable]

From: Tim Rühsen
Subject: wget-1.20.1 released [stable]
Date: Wed, 26 Dec 2018 21:31:13 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0


due to some privacy issues in default settings of Wget, we introduce
this bugfix release.

The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.

We changed three details as a countermeasure, see below in the NEWS section.

With Best Regards, Tim

Here are the compressed sources and a GPG detached signature[*]:

Use a mirror for higher download bandwidth:

Here are the MD5 and SHA1 checksums:

f6ebe9c7b375fc9832fb1b2028271fb7  wget-1.20.1.tar.gz
4b1ade04ee7ff30181357e0c66b5ac74e39f79b3  wget-1.20.1.tar.gz

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify wget-1.20.1.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

  gpg --keyserver --recv-keys 0x08302DB6A2670428

and rerun the 'gpg --verify' command.


* Changes in Wget 1.20.1

** --xattr is no longer default since it introduces privacy issues.

** --xattr saves the Referer as scheme/host/port,
   are no longer saved to prevent privacy issues.

** --xattr saves the Original URL without user/password to prevent
   privacy issues.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]