OPENSUSE-SU-2026:20038-1
Vulnerability from csaf_opensuse - Published: 2026-01-14 13:23 - Updated: 2026-01-14 13:23Summary
Security update for wget2
Notes
Title of the patch
Security update for wget2
Description of the patch
This update for wget2 fixes the following issues:
Changes in wget2:
- Update to release 2.2.1
* Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]
* Fix remote buffer overflow in get_local_filename_real()
[CVE-2025-69195 bsc#1255729]
* Fix a redirect/mirror regression from 400713ca
* Use the local system timestamp when requested via
--no-use-server-timestamps
* Prevent file truncation with --no-clobber
* Improve messages about why URLs are not being followed
* Fix metalink with -O/--output-document
* Fix sorting of metalink mirrors by priority
* Add --show-progress to improve backwards compatibility to wget
* Fix buffer overflow in wget_iri_clone() after
wget_iri_set_scheme()
* Allow 'no_' prefix in config options
* Use libnghttp2 for HTTP/2 testing
* Set exit status to 8 on 403 response code
* Fix convert-links
* Fix --server-response for HTTP/1.1
- Update to release 2.2.0
* Don't truncate file when -c and -O are combined
* Don't log URI userinfo to logs
* Fix downloading multiple files via HTTP/2
* Support connecting with HTTP/1.0 proxies
* Ignore 1xx HTTP responses for HTTP/1.1
* Disable TCP Fast Open by default
* Fix segfault when OCSP response is missing
* Add libproxy support
Patchnames
openSUSE-Leap-16.0-packagehub-70
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for wget2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for wget2 fixes the following issues:\n\nChanges in wget2:\n\n- Update to release 2.2.1\n * Fix file overwrite issue with metalink [CVE-2025-69194 bsc#1255728]\n * Fix remote buffer overflow in get_local_filename_real()\n [CVE-2025-69195 bsc#1255729]\n * Fix a redirect/mirror regression from 400713ca\n * Use the local system timestamp when requested via\n --no-use-server-timestamps\n * Prevent file truncation with --no-clobber\n * Improve messages about why URLs are not being followed\n * Fix metalink with -O/--output-document\n * Fix sorting of metalink mirrors by priority\n * Add --show-progress to improve backwards compatibility to wget\n * Fix buffer overflow in wget_iri_clone() after\n wget_iri_set_scheme()\n * Allow \u0027no_\u0027 prefix in config options\n * Use libnghttp2 for HTTP/2 testing\n * Set exit status to 8 on 403 response code\n * Fix convert-links\n * Fix --server-response for HTTP/1.1\n\n- Update to release 2.2.0\n * Don\u0027t truncate file when -c and -O are combined\n * Don\u0027t log URI userinfo to logs\n * Fix downloading multiple files via HTTP/2\n * Support connecting with HTTP/1.0 proxies\n * Ignore 1xx HTTP responses for HTTP/1.1\n * Disable TCP Fast Open by default\n * Fix segfault when OCSP response is missing\n * Add libproxy support\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-packagehub-70",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20038-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1255728",
"url": "https://bugzilla.suse.com/1255728"
},
{
"category": "self",
"summary": "SUSE Bug 1255729",
"url": "https://bugzilla.suse.com/1255729"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-69194 page",
"url": "https://www.suse.com/security/cve/CVE-2025-69194/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-69195 page",
"url": "https://www.suse.com/security/cve/CVE-2025-69195/"
}
],
"title": "Security update for wget2",
"tracking": {
"current_release_date": "2026-01-14T13:23:53Z",
"generator": {
"date": "2026-01-14T13:23:53Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20038-1",
"initial_release_date": "2026-01-14T13:23:53Z",
"revision_history": [
{
"date": "2026-01-14T13:23:53Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libwget4-2.2.1-bp160.1.1.aarch64",
"product": {
"name": "libwget4-2.2.1-bp160.1.1.aarch64",
"product_id": "libwget4-2.2.1-bp160.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "wget2-2.2.1-bp160.1.1.aarch64",
"product": {
"name": "wget2-2.2.1-bp160.1.1.aarch64",
"product_id": "wget2-2.2.1-bp160.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "wget2-devel-2.2.1-bp160.1.1.aarch64",
"product": {
"name": "wget2-devel-2.2.1-bp160.1.1.aarch64",
"product_id": "wget2-devel-2.2.1-bp160.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "libwget4-2.2.1-bp160.1.1.ppc64le",
"product": {
"name": "libwget4-2.2.1-bp160.1.1.ppc64le",
"product_id": "libwget4-2.2.1-bp160.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "wget2-2.2.1-bp160.1.1.ppc64le",
"product": {
"name": "wget2-2.2.1-bp160.1.1.ppc64le",
"product_id": "wget2-2.2.1-bp160.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "wget2-devel-2.2.1-bp160.1.1.ppc64le",
"product": {
"name": "wget2-devel-2.2.1-bp160.1.1.ppc64le",
"product_id": "wget2-devel-2.2.1-bp160.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "libwget4-2.2.1-bp160.1.1.s390x",
"product": {
"name": "libwget4-2.2.1-bp160.1.1.s390x",
"product_id": "libwget4-2.2.1-bp160.1.1.s390x"
}
},
{
"category": "product_version",
"name": "wget2-2.2.1-bp160.1.1.s390x",
"product": {
"name": "wget2-2.2.1-bp160.1.1.s390x",
"product_id": "wget2-2.2.1-bp160.1.1.s390x"
}
},
{
"category": "product_version",
"name": "wget2-devel-2.2.1-bp160.1.1.s390x",
"product": {
"name": "wget2-devel-2.2.1-bp160.1.1.s390x",
"product_id": "wget2-devel-2.2.1-bp160.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "libwget4-2.2.1-bp160.1.1.x86_64",
"product": {
"name": "libwget4-2.2.1-bp160.1.1.x86_64",
"product_id": "libwget4-2.2.1-bp160.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "wget2-2.2.1-bp160.1.1.x86_64",
"product": {
"name": "wget2-2.2.1-bp160.1.1.x86_64",
"product_id": "wget2-2.2.1-bp160.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "wget2-devel-2.2.1-bp160.1.1.x86_64",
"product": {
"name": "wget2-devel-2.2.1-bp160.1.1.x86_64",
"product_id": "wget2-devel-2.2.1-bp160.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libwget4-2.2.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.aarch64"
},
"product_reference": "libwget4-2.2.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libwget4-2.2.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.ppc64le"
},
"product_reference": "libwget4-2.2.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libwget4-2.2.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.s390x"
},
"product_reference": "libwget4-2.2.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libwget4-2.2.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.x86_64"
},
"product_reference": "libwget4-2.2.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-2.2.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.aarch64"
},
"product_reference": "wget2-2.2.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-2.2.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.ppc64le"
},
"product_reference": "wget2-2.2.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-2.2.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.s390x"
},
"product_reference": "wget2-2.2.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-2.2.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.x86_64"
},
"product_reference": "wget2-2.2.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-devel-2.2.1-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.aarch64"
},
"product_reference": "wget2-devel-2.2.1-bp160.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-devel-2.2.1-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.ppc64le"
},
"product_reference": "wget2-devel-2.2.1-bp160.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-devel-2.2.1-bp160.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.s390x"
},
"product_reference": "wget2-devel-2.2.1-bp160.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "wget2-devel-2.2.1-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.x86_64"
},
"product_reference": "wget2-devel-2.2.1-bp160.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-69194",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-69194"
}
],
"notes": [
{
"category": "general",
"text": "A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink \u003cfile name\u003e elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user\u0027s environment.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-69194",
"url": "https://www.suse.com/security/cve/CVE-2025-69194"
},
{
"category": "external",
"summary": "SUSE Bug 1255728 for CVE-2025-69194",
"url": "https://bugzilla.suse.com/1255728"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-14T13:23:53Z",
"details": "important"
}
],
"title": "CVE-2025-69194"
},
{
"cve": "CVE-2025-69195",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-69195"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-69195",
"url": "https://www.suse.com/security/cve/CVE-2025-69195"
},
{
"category": "external",
"summary": "SUSE Bug 1255729 for CVE-2025-69195",
"url": "https://bugzilla.suse.com/1255729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:libwget4-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-2.2.1-bp160.1.1.x86_64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.aarch64",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.ppc64le",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.s390x",
"openSUSE Leap 16.0:wget2-devel-2.2.1-bp160.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-14T13:23:53Z",
"details": "important"
}
],
"title": "CVE-2025-69195"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…