wget is vulnerable to spoofing attack. Wget is affected by the previously published βnull prefix attackβ, caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse Wget into accepting it by mistake.
addictivecode.org/pipermail/wget-notify/2009-August/001808.html
hg.addictivecode.org/wget/mainline/rev/1eab157d3be7
kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
marc.info/?l=oss-security&m=125198917018936&w=2
marc.info/?l=oss-security&m=125369675820512&w=2
permalink.gmane.org/gmane.comp.web.wget.general/8972
secunia.com/advisories/36540
www.redhat.com/security/updates/classification/#moderate
www.securityfocus.com/bid/36205
www.vupen.com/english/advisories/2009/2498
access.redhat.com/errata/RHSA-2009:1549
bugzilla.redhat.com/show_bug.cgi?id=520454
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11099