[Git][security-tracker-team/security-tracker][master] Reserve DLA-4019-1 for busybox

Tobias Frost (@tobi) tobi at debian.org
Sun Jan 19 10:03:06 GMT 2025



Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3a31b5be by Tobias Frost at 2025-01-19T11:02:55+01:00
Reserve DLA-4019-1 for busybox

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -113216,7 +113216,6 @@ CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the
 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via  ...)
 	- busybox 1:1.37.0-1 (bug #1059052)
 	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 (1_37_0)
@@ -113225,7 +113224,6 @@ CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.
 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...)
 	- busybox 1:1.37.0-1 (bug #1059051)
 	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15868
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 (1_37_0)
@@ -169945,7 +169943,6 @@ CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to contain a remote code execu
 CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in busybox befor ...)
 	- busybox 1:1.37.0-1 (bug #1059049)
 	[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216
 	NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 (1_37_0)
@@ -266073,19 +266070,16 @@ CVE-2021-42387 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec wh
 	NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
 CVE-2021-42386 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42385 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42384 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
@@ -266097,31 +266091,26 @@ CVE-2021-42383 (A use-after-free in Busybox's awk applet leads to denial of serv
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42382 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42381 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42380 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42379 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
 CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox 1:1.35.0-1 (bug #999567)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
 	NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
@@ -301322,7 +301311,6 @@ CVE-2021-28832 (VSCodeVim before 1.19.0 allows attackers to execute arbitrary co
 CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...)
 	{DLA-2614-1}
 	- busybox 1:1.35.0-1 (bug #985674)
-	[bullseye] - busybox <no-dsa> (Minor issue)
 	[buster] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
 CVE-2021-27851 (A security vulnerability that can lead to local privilege escalation h ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Jan 2025] DLA-4019-1 busybox - security update
+	{CVE-2021-28831 CVE-2021-42374 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-48174 CVE-2023-42364 CVE-2023-42365}
+	[bullseye] - busybox 1:1.30.1-6+deb11u1
 [17 Jan 2025] DLA-4018-1 ruby2.7 - security update
 	{CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 CVE-2024-49761}
 	[bullseye] - ruby2.7 2.7.4-1+deb11u3


=====================================
data/dla-needed.txt
=====================================
@@ -37,14 +37,6 @@ ansible (lee)
 asterisk
   NOTE: 20250105: Added by Front-Desk (apo)
 --
-busybox (tobi)
-  NOTE: 20241204: Added by Front-Desk (santiago)
-  NOTE: 20241204: Added to address the CVEs from 2021, after a request from a sponsor
-  NOTE: 20241225: Imported several patches from Ubuntu, see lts repo for details.
-  NOTE: 20241225: Some CVEs still need triage and verification that they not apply on 1.30 (as Ubuntu claims) and
-  NOTE: 20241225: several CVEs have no identified patch. My triaging table: https://pad.riseup.net/p/lts-busybox-triage-2024-12-keep
-  NOTE: 20241225: Due to Christmas/Congress, won't be able to work on it until Janauary. (tobi)
---
 cacti (rouca)
   NOTE: 20241023: Added by Front-Desk (lamby)
   NOTE: 20241103: Opened a git issue https://github.com/Cacti/cacti/issues/5896 for getting the upstream commit (rouca)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a31b5be05dc0ee57222753385e70033bd2f3ec3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a31b5be05dc0ee57222753385e70033bd2f3ec3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250119/1cf9066a/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list