[Git][security-tracker-team/security-tracker][master] dla: drop busybox
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Fri Nov 7 15:30:37 GMT 2025
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
622f6a3b by Sylvain Beucler at 2025-11-07T16:30:24+01:00
dla: drop busybox
Minor issues, upstream fixes not available after more than 6 months.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -64677,6 +64677,7 @@ CVE-2025-46394 (In tar in BusyBox through 1.37.0, a TAR archive can have filenam
- busybox <unfixed> (bug #1104008)
[trixie] - busybox <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - busybox <postponed> (Minor issue, terminal corruption, revisit when fixed upstream)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=16018
NOTE: https://www.openwall.com/lists/oss-security/2025/04/23/1
NOTE: Proposed patch: https://lists.busybox.net/pipermail/busybox/2025-April/091461.html
@@ -64813,6 +64814,7 @@ CVE-2024-58251 (In netstat in BusyBox through 1.37.0, local users can launch of
- busybox <unfixed> (bug #1104009)
[trixie] - busybox <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - busybox <postponed> (Minor issue, DoS, revisit when fixed upstream)
NOTE: https://bugs.busybox.net/show_bug.cgi?id=15922
CVE-2024-47829 (pnpm is a package manager. Prior to version 10.0.0, the path shortenin ...)
NOT-FOR-US: pnpm
@@ -225987,8 +225989,8 @@ CVE-2023-39810 (An issue in the CPIO command of Busybox v1.33.2 allows attackers
- busybox 1:1.37.0-7 (bug #1055307)
[trixie] - busybox <no-dsa> (Minor issue)
[bookworm] - busybox <no-dsa> (Minor issue)
- [bullseye] - busybox <postponed> (Minor issue, revisit when fixed upstream)
- [buster] - busybox <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - busybox <postponed> (Minor issue)
+ [buster] - busybox <postponed> (Minor issue)
NOTE: https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/
NOTE: https://bugs.busybox.net/show_bug.cgi?id=16033
NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=9a8796436b9b0641e13480811902ea2ac57881d3
=====================================
data/dla-needed.txt
=====================================
@@ -45,12 +45,6 @@ ansible
NOTE: 20241123: Made a partial release. only CVE-2024-11079 needed but more upstream backport work needed (rouca)
NOTE: 20250422: Testing/bisecting will take more time, please keep it assigned to me (lee)
--
-busybox
- NOTE: 20250425: Added by Front-Desk (rouca)
- NOTE: 20250519: Asked maintainers about any pending work and offered help. (spwhitton)
- NOTE: 20250620: Pinged maintainers about unfixed CVEs in sid again, offered help.
- NOTE: 20250620: (spwhitton)
---
ca-certificates
NOTE: 20250613: Added by Front-Desk (rouca)
NOTE: 20250613: Lack some certificates #1095913 (rouca/FD)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/622f6a3b9542ad430e92e7d298ca576be469c21c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/622f6a3b9542ad430e92e7d298ca576be469c21c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251107/931470d1/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list