Wolfgang Ocker wrote... > Hello Busybox Package Maintainers: > > I hope I have found the correct email address for my question.
It's good enough. > https://security-tracker.debian.org/tracker/CVE-2022-48174 > > It says here that the stack overflow bug in Busybox (CVE-2022-48174) > has not yet been fixed in Bookworm because it is only a minor issue. It seems this was fixed in 1:1.30.1-6+deb11u1 in January 2025: | busybox (1:1.30.1-6+deb11u1) bullseye-security; urgency=high | | * Non-maintainer upload by the LTS Security Team. | * Import patches for | (Cherry-picked from 1:1.30-1.4ubuntu6.4) | - CVE-2021-28831 (Closes: #985674), | - CVE-2021-42374, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, | CVE-2021-42381, CVE-2021-42382, CVE-2021-42384, CVE-2021-42385, | CVE-2021-42386 (Closes: #999567), | (Cherry-picked from 1:1.30.1-7ubuntu3.1) ! - CVE-2022-48174 (Closes: #1059049) | * Backport patch for CVE-2023-42364. This patch also covers | CVE-2023-42365 (Closes: #1059051, #1059052) | | -- Tobias Frost <[email protected]> Sun, 19 Jan 2025 10:30:58 +0100 > I would be very interested to know why you came to this conclusion, as > I can't find any reference to it in the corresponding bug tracker > entry: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049 This creates the question why the bits in the tracker were not updated properly. I'll ask around behind the curtain. Christoph
signature.asc
Description: PGP signature
