wget (1.13.4-3+deb7u3) wheezy-security; urgency=high

  This version fixes a security vulnerability (CVE-2016-4971) present 
  in all old versions of wget.  The vulnerability was discovered by 
  Dawid Golunski which were reported to us by Beyond Security's 
  SecuriTeam.

  On a server redirect from HTTP to a FTP resource, wget would trust the
  HTTP server and uses the name in the redirected URL as the destination
  filename.
  This behaviour was changed and now it works similarly as a redirect 
  from HTTP to another HTTP resource so the original name is used as
  the destination file.  To keep the previous behaviour the user must
  provide --trust-server-names.

 -- Thorsten Alteholz <debian@alteholz.de>  Mon, 27 Jun 2016 18:00:14 +0200

wget (1.13.4-3+deb7u2) stable-security; urgency=high

  From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
  From: Darshit Shah <darnir@gmail.com>
  Date: Sun, 07 Sep 2014 19:11:17 +0000
  Subject: CVE-2014-4877: Arbitrary Symlink Access
  
  Wget was susceptible to a symlink attack which could create arbitrary
  files, directories or symbolic links and set their permissions when
  retrieving a directory recursively through FTP. This commit changes the
  default settings in Wget such that Wget no longer creates local symbolic
  links, but rather traverses them and retrieves the pointed-to file in
  such a retrieval.
  
  The old behaviour can be attained by passing the --retr-symlinks=no
  option to the Wget invokation command.

 -- Thorsten Alteholz <debian@alteholz.de>  Wed, 29 Oct 2014 19:00:14 +0100
