Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package busybox for openSUSE:Factory checked in at 2022-01-14 23:13:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/busybox (Old) and /work/SRC/openSUSE:Factory/.busybox.new.1892 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "busybox" Fri Jan 14 23:13:01 2022 rev:72 rq:946465 version:1.35.0 Changes: -------- --- /work/SRC/openSUSE:Factory/busybox/busybox.changes 2021-11-03 17:25:56.341326496 +0100 +++ /work/SRC/openSUSE:Factory/.busybox.new.1892/busybox.changes 2022-01-14 23:14:02.274662628 +0100 @@ -1,0 +2,28 @@ +Wed Jan 12 15:40:40 UTC 2022 - Thorsten Kukuk <ku...@suse.com> + +- Update to 1.35.0 + - Adjust busybox.config for new features in find, date and cpio + +------------------------------------------------------------------- +Thu Jan 6 06:37:24 UTC 2022 - Radoslav Kolev <radoslav.ko...@suse.com> + +- Annotate CVEs already fixed in upstream, but not mentioned in .changes: + * CVE-2017-16544 (bsc#1069412): Insufficient sanitization of filenames when autocompleting + * CVE-2015-9261 (bsc#1102912): huft_build misuses a pointer, causing segfaults + * CVE-2016-2147 (bsc#970663): out of bounds write (heap) due to integer underflow in udhcpc + * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing + * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw + * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow + * CVE-2017-15874 (bsc#1064978): archival/libarchive/decompress_unlzma.c has an Integer Underflow + * CVE-2019-5747 (bsc#1121428): out of bounds read in udhcp components + * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, + CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, + CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, + CVE-2021-42385, CVE-2021-42386 (bsc#1192869) : v1.34.0 bugfixes + - CVE-2021-28831 (bsc#1184522): invalid free or segmentation fault via malformed gzip data + - CVE-2018-20679 (bsc#1121426): out of bounds read in udhcp + - CVE-2018-1000517 (bsc#1099260): Heap-based buffer overflow in the retrieve_file_data() + - CVE-2011-5325 (bsc#951562): tar directory traversal + - CVE-2018-1000500 (bsc#1099263): wget: Missing SSL certificate validation + +------------------------------------------------------------------- Old: ---- busybox-1.34.1.tar.bz2 busybox-1.34.1.tar.bz2.sig New: ---- busybox-1.35.0.tar.bz2 busybox-1.35.0.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ busybox.spec ++++++ --- /var/tmp/diff_new_pack.vG8yli/_old 2022-01-14 23:14:02.898663031 +0100 +++ /var/tmp/diff_new_pack.vG8yli/_new 2022-01-14 23:14:02.902663033 +0100 @@ -1,7 +1,7 @@ # # spec file for package busybox # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: busybox -Version: 1.34.1 +Version: 1.35.0 Release: 0 Summary: Minimalist variant of UNIX utilities linked in a single executable License: GPL-2.0-or-later ++++++ busybox-1.34.1.tar.bz2 -> busybox-1.35.0.tar.bz2 ++++++ ++++ 11390 lines of diff (skipped) ++++++ busybox.config ++++++ --- /var/tmp/diff_new_pack.vG8yli/_old 2022-01-14 23:14:04.110663812 +0100 +++ /var/tmp/diff_new_pack.vG8yli/_new 2022-01-14 23:14:04.114663815 +0100 @@ -1,7 +1,6 @@ # # Automatically generated make config: don't edit -# Busybox version: 1.34.1 -# Sat Oct 30 11:02:54 2021 +# Busybox version: 1.35.0 # CONFIG_HAVE_DOT_CONFIG=y @@ -162,6 +161,8 @@ CONFIG_CPIO=y CONFIG_FEATURE_CPIO_O=y CONFIG_FEATURE_CPIO_P=y +CONFIG_FEATURE_CPIO_IGNORE_DEVNO=y +CONFIG_FEATURE_CPIO_RENUMBER_INODES=y # CONFIG_DPKG is not set # CONFIG_DPKG_DEB is not set CONFIG_GZIP=y @@ -197,6 +198,12 @@ # # Coreutils # + +# +# Common options for date and touch +# +CONFIG_FEATURE_TIMEZONE=y + CONFIG_BASENAME=y CONFIG_CAT=y CONFIG_FEATURE_CATN=y @@ -448,7 +455,11 @@ CONFIG_FIND=y CONFIG_FEATURE_FIND_PRINT0=y CONFIG_FEATURE_FIND_MTIME=y +CONFIG_FEATURE_FIND_ATIME=y +CONFIG_FEATURE_FIND_CTIME=y CONFIG_FEATURE_FIND_MMIN=y +CONFIG_FEATURE_FIND_AMIN=y +CONFIG_FEATURE_FIND_CMIN=y CONFIG_FEATURE_FIND_PERM=y CONFIG_FEATURE_FIND_TYPE=y CONFIG_FEATURE_FIND_EXECUTABLE=y @@ -472,6 +483,7 @@ CONFIG_FEATURE_FIND_REGEX=y # CONFIG_FEATURE_FIND_CONTEXT is not set CONFIG_FEATURE_FIND_LINKS=y +CONFIG_FEATURE_FIND_SAMEFILE=y CONFIG_GREP=y CONFIG_EGREP=y CONFIG_FGREP=y