[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget-1.24.5 released [stable]

From: Darshit Shah
Subject: wget-1.24.5 released [stable]
Date: Sun, 10 Mar 2024 15:51:03 +0100
User-agent: Mozilla Thunderbird

This is to announce wget-1.24.5, a stable release.

This is another relative slow release with minor bug fixes. The main one being a correction in how subdomains of Top-Level Domains (TLDs) are treated when checking for suffixes during HSTS lookups. This is a very low criticality vulnerability that has now been patched.

There have been 33 commits by 6 people in the 43 weeks since 1.21.4.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Christian Weisgerber (1)
  Darshit Shah (20)
  Jan Palus (1)
  Jan-Michael Brummer (1)
  Tim Rühsen (9)
  Yaakov Selkowitz (1)

Darshit Shah
 [on behalf of the wget maintainers]

Here is the GNU wget home page:

For a summary of changes and contributors, see:;a=shortlog;h=v1.24.5
or run this command from a git-cloned wget directory:
  git shortlog v1.21.4..v1.24.5

Here are the compressed sources: (5.0MB) (2.5MB)

Here are the GPG detached signatures:

Use a mirror for higher download bandwidth:

Here are the SHA1 and SHA256 checksums:

  62525de6f09486942831ca2e352ae6802fc2c3dd  wget-1.24.5.tar.gz
  +i3DW6tRhOy8Rqnvg97yqqo/TJ88l9S9GdywfU2mN94=  wget-1.24.5.tar.gz
  01659f427c2e90c7c943805db69ea00f5da79b07  wget-1.24.5.tar.lz
  V6EHFR5O+U/flK/+z6xZiWPzcvEyk+2cdAMhBTkLNu4=  wget-1.24.5.tar.lz

Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify wget-1.24.5.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096 2015-10-14 [SC]
        7845 120B 07CB D8D6 ECE5  FF2B 2A17 43ED A91A 35B6
  uid   Darshit Shah <>
  uid   Darshit Shah <>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key

  gpg --recv-keys 64FF90AAE8C70AF9

  wget -q -O- '' | gpg --import -

As a last resort to find the key, you can try the official GNU

  wget -q
  gpg --keyring gnu-keyring.gpg --verify wget-1.24.5.tar.gz.sig

This release was bootstrapped with the following tools:
  Autoconf 2.72
  Automake 1.16.5
  Gnulib v0.1-7211-gd15237a22b


* Noteworthy changes in release 1.24.5 (2024-03-10) [stable]

** Fix how subdomain matches are checked for HSTS.
   Fixes a minor issue where cookies may be leaked to the wrong domain

** Wget will now also parse the srcset attribute in <source> HTML tags

** Support reading fetchmail style "user" and "passwd" fields from netrc

** In some cases, prevent the confusing "Cannot write to... (success)" error messages

** Support extremely fast download speeds (TB/s).
   Previously this would cause Wget to crash when printing the speed

** Improve portability on OpenBSD to run the test suite

** Ensure that CSS URLs are corectly quoted (Bug: 64082)

Attachment: OpenPGP_0x2A1743EDA91A35B6.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]