[Git][security-tracker-team/security-tracker][master] triage for older busybox issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Oct 28 16:54:50 GMT 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1dd4c2a1 by Moritz Muehlenhoff at 2024-10-28T17:53:58+01:00
triage for older busybox issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -87779,19 +87779,19 @@ CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (upda
 	NOT-FOR-US: PrestaShop module
 CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...)
 	- busybox <unfixed> (bug #1059053)
-	[bookworm] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874
 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via  ...)
 	- busybox <unfixed> (bug #1059052)
-	[bookworm] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871
 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...)
 	- busybox <unfixed> (bug #1059051)
-	[bookworm] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15868
@@ -102820,10 +102820,11 @@ CVE-2023-40170 (jupyter-server is the backend for Jupyter web applications. Impr
 	NOTE: https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd (v2.7.2)
 CVE-2023-39810 (An issue in the CPIO command of Busybox v1.33.2 allows attackers to ex ...)
 	- busybox <unfixed> (bug #1055307)
-	[bookworm] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/
+	NOTE: https://bugs.busybox.net/show_bug.cgi?id=16033
 CVE-2023-39709 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...)
 	NOT-FOR-US: Free and Open Source Inventory Management System
 CVE-2023-39708 (A stored cross-site scripting (XSS) vulnerability in Free and Open Sou ...)
@@ -144502,11 +144503,11 @@ CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to contain a remote code execu
 	NOT-FOR-US: Rukovoditel
 CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in busybox befor ...)
 	- busybox <unfixed> (bug #1059049)
-	[bookworm] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216
-	NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209
+	NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 (incomplete)
 CVE-2022-48173
 	RESERVED
 CVE-2022-48172
@@ -205308,12 +205309,11 @@ CVE-2022-28393
 CVE-2022-28392
 	RESERVED
 CVE-2022-28391 (BusyBox through 1.35.0 allows remote attackers to execute arbitrary co ...)
-	- busybox <unfixed> (bug #1010264)
-	[bookworm] - busybox <no-dsa> (Minor issue)
-	[bullseye] - busybox <no-dsa> (Minor issue)
-	[buster] - busybox <no-dsa> (Minor issue)
-	[stretch] - busybox <no-dsa> (Minor issue)
+	- busybox <not-affected> (Specific to running busybox on musl instead of glibc)
 	NOTE: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
+	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15922
+	NOTE: https://bugs.busybox.net/show_bug.cgi?id=14811
+	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1198092#c3
 CVE-2022-28390 (ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kerne ...)
 	{DSA-5173-1 DSA-5127-1 DLA-3065-1}
 	- linux 5.17.3-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd4c2a1006ffd130e1e49fb464debccb590a82d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd4c2a1006ffd130e1e49fb464debccb590a82d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241028/f377b9ff/attachment.htm>


More information about the debian-security-tracker-commits mailing list