Debian Package Tracker
Register | Log in
Subscribe

wget

retrieves files from the web

Choose email to subscribe with

general
  • source: wget (main)
  • version: 1.25.0-2
  • maintainer: Noël Köthe (DMD)
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.21-1+deb11u1
  • o-o-sec: 1.21-1+deb11u2
  • oldstable: 1.21.3-1+deb12u1
  • stable: 1.25.0-2
  • testing: 1.25.0-2
  • unstable: 1.25.0-2
versioned links
  • 1.21-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.21-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.21.3-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.25.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • wget (75 bugs: 0, 34, 41, 0)
  • wget-udeb
action needed
5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:
  • CVE-2021-31879: GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
  • CVE-2026-58469: GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
  • CVE-2026-58470: GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
  • CVE-2026-58471: GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
  • CVE-2026-58472: GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
Created: 2022-07-04 Last update: 2026-07-09 01:00
5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:
  • CVE-2021-31879: GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
  • CVE-2026-58469: GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
  • CVE-2026-58470: GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
  • CVE-2026-58471: GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
  • CVE-2026-58472: GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
Created: 2025-08-09 Last update: 2026-07-09 01:00
6 security issues in bullseye high

There are 6 open security issues in bullseye.

4 important issues:
  • CVE-2026-58469: GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
  • CVE-2026-58470: GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
  • CVE-2026-58471: GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
  • CVE-2026-58472: GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
1 issue postponed or untriaged:
  • CVE-2021-31879: (needs triaging) GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
1 ignored issue:
  • CVE-2024-10524: Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
Created: 2026-07-08 Last update: 2026-07-09 01:00
6 security issues in bookworm high

There are 6 open security issues in bookworm.

4 important issues:
  • CVE-2026-58469: GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
  • CVE-2026-58470: GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
  • CVE-2026-58471: GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
  • CVE-2026-58472: GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
2 issues left for the package maintainer to handle:
  • CVE-2021-31879: (postponed; to be fixed through a stable update) GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
  • CVE-2024-10524: (needs triaging) Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2026-07-09 01:00
1 open merge request in Salsa normal
There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-09-12 Last update: 2025-09-12 12:07
5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:
  • CVE-2021-31879: (postponed; to be fixed through a stable update) GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
  • CVE-2026-58469: (needs triaging) GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
  • CVE-2026-58470: (needs triaging) GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.
  • CVE-2026-58471: (needs triaging) GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
  • CVE-2026-58472: (needs triaging) GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-09 Last update: 2026-07-09 01:00
debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 1.25.0-2 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-03-08 13:00
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).
Created: 2025-12-23 Last update: 2026-03-31 15:01
testing migrations
  • This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2025-04-20] Accepted wget 1.21-1+deb11u2 (source) into oldstable-security (Adrian Bunk)
  • [2025-03-14] wget 1.25.0-2 MIGRATED to testing (Debian testing watch)
  • [2025-03-08] Accepted wget 1.21.3-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Shengqi Chen)
  • [2025-03-08] Accepted wget 1.25.0-2 (source) into unstable (Shengqi Chen)
  • [2025-03-06] wget 1.25.0-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-01] Accepted wget 1.25.0-1 (source) into unstable (Shengqi Chen)
  • [2024-08-04] wget 1.24.5-2 MIGRATED to testing (Debian testing watch)
  • [2024-07-28] Accepted wget 1.24.5-2 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2024-05-03] wget 1.24.5-1 MIGRATED to testing (Debian testing watch)
  • [2024-03-17] Accepted wget 1.24.5-1 (source) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2023-09-14] wget 1.21.4-1 MIGRATED to testing (Debian testing watch)
  • [2023-09-09] Accepted wget 1.21.4-1 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2022-04-07] wget 1.21.3-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-29] Accepted wget 1.21.3-1 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2021-12-05] Accepted wget 1.21-1+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Peter Michael Green)
  • [2021-10-19] wget 1.21.2-2 MIGRATED to testing (Debian testing watch)
  • [2021-10-13] Accepted wget 1.21.2-2 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2021-10-10] Accepted wget 1.21.2-1 (source) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2021-01-10] wget 1.21-1 MIGRATED to testing (Debian testing watch)
  • [2021-01-02] Accepted wget 1.21-1 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2020-01-29] Accepted wget 1.16-1+deb8u7 (source amd64) into oldoldstable (Thorsten Alteholz)
  • [2019-08-05] wget 1.20.3-1 MIGRATED to testing (Debian testing watch)
  • [2019-07-20] Accepted wget 1.20.3-1 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • [2019-04-24] wget 1.20.1-1.1 MIGRATED to testing (Debian testing watch)
  • [2019-04-22] Accepted wget 1.16-1+deb8u6 (source amd64) into oldstable (Thorsten Alteholz)
  • [2019-04-14] Accepted wget 1.18-5+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
  • [2019-04-11] Accepted wget 1.20.1-1.1 (source) into unstable (Salvatore Bonaccorso)
  • [2019-04-05] Accepted wget 1.18-5+deb9u3 (source) into stable->embargoed, stable (Salvatore Bonaccorso)
  • [2018-12-31] wget 1.20.1-1 MIGRATED to testing (Debian testing watch)
  • [2018-12-27] Accepted wget 1.20.1-1 (source amd64) into unstable (Noël Köthe) (signed by: Noèl Köthe)
  • 1
  • 2
bugs [bug history graph]
  • all: 73 76
  • RC: 0
  • I&N: 35
  • M&W: 38 41
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 79)
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.25.0-2ubuntu4
  • patches for 1.25.0-2ubuntu4

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing