[Git][security-tracker-team/security-tracker][master] busybox: stretch postponed
Sylvain Beucler (@beuc)
beuc at debian.org
Tue Nov 16 11:44:52 GMT 2021
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
af773e06 by Sylvain Beucler at 2021-11-16T12:44:33+01:00
busybox: stretch postponed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -6010,46 +6010,55 @@ CVE-2021-42386 (A use-after-free in Busybox's awk applet leads to denial of serv
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42385 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42384 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42383 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42382 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42381 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42380 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42379 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox <unfixed> (bug #999567)
[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
+ [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42377 (An attacker-controlled pointer free in Busybox's hush applet leads to ...)
- busybox <unfixed> (bug #999567)
=====================================
data/dla-needed.txt
=====================================
@@ -18,12 +18,6 @@ ansible
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
-busybox (Sylvain Beucler)
- NOTE: 20211111: dos issues are low impact and could be ignored, awk issues seem
- NOTE: 20211111: only serious if executing untrusted code, so perhaps postpone,
- NOTE: 20211111: but double-check (pochu)
- NOTE: 20211113: waiting for further maintainer feedback & commit info (Beuc)
---
debian-archive-keyring
NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af773e06fa3befb178b247d0d8c2489762be3333
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af773e06fa3befb178b247d0d8c2489762be3333
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211116/85e342f3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list