Hi,

This is a bugfix release:

"due to some privacy issues in default settings of Wget, we introduce this bugfix release.

The --xattr option (saving original URL and Referer into extended file attributes) was introduced and enabled by default since Wget 1.19. It possibly saved - possibly unrecognized by the user - credentials, access tokes etc that were included in the requested URL.

We changed three details as a countermeasure, see below in the NEWS section.

With Best Regards, Tim

...

NEWS

* Changes in Wget 1.20.1

** --xattr is no longer default since it introduces privacy issues.

** --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment are no longer saved to prevent privacy issues.

** --xattr saves the Original URL without user/password to prevent privacy issues."

Best, Matthias

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/wget | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/wget b/lfs/wget index 5ccb0029f..b8c83d10d 100644 --- a/lfs/wget +++ b/lfs/wget @@ -24,7 +24,7 @@

include Config

-VER = 1.20 +VER = 1.20.1

THISAPP = wget-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 9f1515d083b769e9ff7642ce6016518e +$(DL_FILE)_MD5 = f6ebe9c7b375fc9832fb1b2028271fb7

install : $(TARGET)