|
|
Log in / Subscribe / Register

SUSE alert openSUSE-SU-2026:0010-1 (wget2)



From:
              maintenance@opensuse.org


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2026:0010-1: important: Security update for wget2


Date:
              Mon, 12 Jan 2026 18:05:41 +0100


Message-ID:
              <20260112170541.43A04FBAD@maintenance.suse.de>


Archive-link:
              Article



   openSUSE Security Update: Security update for wget2
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2026:0010-1
Rating:             important
References:         #1255728 #1255729 
Cross-References:   CVE-2025-69194 CVE-2025-69195
Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for wget2 fixes the following issues:

   - Update to release 2.2.1
     * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
     * Fix remote buffer overflow in get_local_filename_real()
       [CVE-2025-69195 bsc#1255729]
     * Fix a redirect/mirror regression from 400713ca
     * Use the local system timestamp when requested via
       --no-use-server-timestamps
     * Prevent file truncation with --no-clobber
     * Improve messages about why URLs are not being followed
     * Fix metalink with -O/--output-document
     * Fix sorting of metalink mirrors by priority
     * Add --show-progress to improve backwards compatibility to wget
     * Fix buffer overflow in wget_iri_clone() after wget_iri_set_scheme()
     * Allow 'no_' prefix in config options
     * Use libnghttp2 for HTTP/2 testing
     * Set exit status to 8 on 403 response code
     * Fix convert-links
     * Fix --server-response for HTTP/1.1

   - Update to release 2.2.0
     * Don't truncate file when -c and -O are combined
     * Don't log URI userinfo to logs
     * Fix downloading multiple files via HTTP/2
     * Support connecting with HTTP/1.0 proxies
     * Ignore 1xx HTTP responses for HTTP/1.1
     * Disable TCP Fast Open by default
     * Fix segfault when OCSP response is missing
     * Add libproxy support


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2026-10=1



Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

      libwget4-2.2.1-bp156.2.3.1
      wget2-2.2.1-bp156.2.3.1
      wget2-devel-2.2.1-bp156.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2025-69194.html
   https://www.suse.com/security/cve/CVE-2025-69195.html
   https://bugzilla.suse.com/1255728
   https://bugzilla.suse.com/1255729
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds