Note: This is an archival copy of Security Sun Alert 273590 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021683.1.
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the wget(1) command shipped with Solaris:
A security vulnerability in the wget(1) command shipped with Solaris may allow a local or remote unprivileged user who provides a specially crafted certificate signed by a legitimate Certification Authority to intercept encrypted HTTP (HTTPS) communication between the wget(1) client and a web server using a man-in-the-middle (MITM) attack.
Additional information regarding this issue is available at:
This issue can occur in the following releases:
$ uname -vNote 2: HTTPS protocol support for the wget(1) command in Solaris 9 was added via patches 125326-01 (SPARC) and 125327-01 (x86). Therefore, Solaris 9 is only vulnerable if one of these patches is installed.
Note 3: Solaris 8 does not include support for the wget(1) command and therefore is not impacted by this issue.
There are no predictable symptoms that would indicate the described issue has been exploited on a system.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment