[Git][security-tracker-team/security-tracker][master] Reserve DLA-4019-1 for busybox
Tobias Frost (@tobi)
tobi at debian.org
Sun Jan 19 10:03:06 GMT 2025
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3a31b5be by Tobias Frost at 2025-01-19T11:02:55+01:00
Reserve DLA-4019-1 for busybox
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -113216,7 +113216,6 @@ CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the
CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...)
- busybox 1:1.37.0-1 (bug #1059052)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871
NOTE: Fixed by: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 (1_37_0)
@@ -113225,7 +113224,6 @@ CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.
CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...)
- busybox 1:1.37.0-1 (bug #1059051)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=15868
NOTE: Fixed by: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 (1_37_0)
@@ -169945,7 +169943,6 @@ CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to contain a remote code execu
CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in busybox befor ...)
- busybox 1:1.37.0-1 (bug #1059049)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216
NOTE: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 (1_37_0)
@@ -266073,19 +266070,16 @@ CVE-2021-42387 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec wh
NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
CVE-2021-42386 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42385 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42384 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
@@ -266097,31 +266091,26 @@ CVE-2021-42383 (A use-after-free in Busybox's awk applet leads to denial of serv
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42382 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42381 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42380 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42379 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
CVE-2021-42378 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
- busybox 1:1.35.0-1 (bug #999567)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
[stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch)
NOTE: https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
@@ -301322,7 +301311,6 @@ CVE-2021-28832 (VSCodeVim before 1.19.0 allows attackers to execute arbitrary co
CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...)
{DLA-2614-1}
- busybox 1:1.35.0-1 (bug #985674)
- [bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
CVE-2021-27851 (A security vulnerability that can lead to local privilege escalation h ...)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Jan 2025] DLA-4019-1 busybox - security update
+ {CVE-2021-28831 CVE-2021-42374 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-48174 CVE-2023-42364 CVE-2023-42365}
+ [bullseye] - busybox 1:1.30.1-6+deb11u1
[17 Jan 2025] DLA-4018-1 ruby2.7 - security update
{CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 CVE-2024-49761}
[bullseye] - ruby2.7 2.7.4-1+deb11u3
=====================================
data/dla-needed.txt
=====================================
@@ -37,14 +37,6 @@ ansible (lee)
asterisk
NOTE: 20250105: Added by Front-Desk (apo)
--
-busybox (tobi)
- NOTE: 20241204: Added by Front-Desk (santiago)
- NOTE: 20241204: Added to address the CVEs from 2021, after a request from a sponsor
- NOTE: 20241225: Imported several patches from Ubuntu, see lts repo for details.
- NOTE: 20241225: Some CVEs still need triage and verification that they not apply on 1.30 (as Ubuntu claims) and
- NOTE: 20241225: several CVEs have no identified patch. My triaging table: https://pad.riseup.net/p/lts-busybox-triage-2024-12-keep
- NOTE: 20241225: Due to Christmas/Congress, won't be able to work on it until Janauary. (tobi)
---
cacti (rouca)
NOTE: 20241023: Added by Front-Desk (lamby)
NOTE: 20241103: Opened a git issue https://github.com/Cacti/cacti/issues/5896 for getting the upstream commit (rouca)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a31b5be05dc0ee57222753385e70033bd2f3ec3
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a31b5be05dc0ee57222753385e70033bd2f3ec3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250119/1cf9066a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list