Mandriva Linux Security Advisory 2009-206 - GNU Wget before 1.12 does not properly handle a '\\0' (NUL) character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This update provides a solution to this vulnerability. Packages for 2008.0 are being provided due to extended support for Corporate products.
4d134cb5317746dbabde9ddcb0704cf7d3ebb8c26b5476cc7c3f8d510610cac6
Gentoo Linux Security Advisory 200910-1 - An error in the X.509 certificate handling of Wget might enable remote attackers to conduct man-in-the-middle attacks. The vendor reported that Wget does not properly handle Common Name (CN) fields in X.509 certificates that contain an ASCII NUL (\\0) character. Specifically, the processing of such fields is stopped at the first occurrence of a NUL character. This type of vulnerability was recently discovered by Dan Kaminsky and Moxie Marlinspike. Versions less than 1.12 are affected.
e19b1568c90378a3d70151fe317843af4d60f22b3c3395301e1bcc36f4edb4fd
Debian Linux Security Advisory 1904-1 - Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using http(s) and ftp, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the Common Name field.
3843134110b6c71b79bd051847e6f367cb74138ba26cadaffdaa04ae54eb2b3c
Ubuntu Security Notice 842-1 - It was discovered that Wget did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
b9dec6517e790c9e09c7a94658d37d6b784a845a1b7ece20faae1c0bbc910b8d