package: wget
version: 1.12-1
severity: important
tags: security

hi,

wget implements a forked version of libntlm.  in order to provide
timely security support (and to reduce some of the burden on the
security team), it would be very desirable (if possible) for wget to
link to the existing libntlm library, rather than implementing its own
version. thanks.

mike

Michael S Gilbert wrote:

This is untrue. Wget's ntlm support was taken from curl, not from libntlm.

Taking advantage of libntlm could be a possible goal, however it
currently lacks support for the most recent version of the protocol,
whereas a user has recently contributed that support to Wget. It is not
present in 1.12 because it hasn't been sufficiently tested (mainly
against the earlier versions of the protocol).

It'd probably be ideal for that support to find its way into libntlm. At
that time, we'd probably consider using it. For the immediate future,
though, we (upstream) are probably not going to pursue that just yet.

it appeared to me to be a fork since essentially the same code is
implemented with slightly differing function names.  i imagine that
this is a consequence of the fact that there is one right way to
implement support for the ntlm standard.

thanks for the info and quick response!

mike

Hi

The NTLM code in wget is based on the curl code, and I wrote both versions.
The original curl one I wrote from scratch based on the docs I cite in the
code. I've never even seen the libntlm source code.

Hey there!

Welcome to and I enjoyed the conversation!   Thank you so much for
helping us promote our brand.   I wish you the best!

B. Grady Sandlin