Hello, Just wanted to quickly ask if there's any news about this Busybox issue?
Thanks, Wolfgang On Tue, 2025-10-21 at 12:13 +0200, Christoph Biedl wrote: > Wolfgang Ocker wrote... > > > Hello Busybox Package Maintainers: > > > > I hope I have found the correct email address for my question. > > It's good enough. > > > https://security-tracker.debian.org/tracker/CVE-2022-48174 > > > > It says here that the stack overflow bug in Busybox (CVE-2022- > > 48174) > > has not yet been fixed in Bookworm because it is only a minor > > issue. > > It seems this was fixed in 1:1.30.1-6+deb11u1 in January 2025: > > > busybox (1:1.30.1-6+deb11u1) bullseye-security; urgency=high > > > > * Non-maintainer upload by the LTS Security Team. > > * Import patches for > > (Cherry-picked from 1:1.30-1.4ubuntu6.4) > > - CVE-2021-28831 (Closes: #985674), > > - CVE-2021-42374, CVE-2021-42378, CVE-2021-42379, CVE-2021- > > 42380, > > CVE-2021-42381, CVE-2021-42382, CVE-2021-42384, CVE-2021- > > 42385, > > CVE-2021-42386 (Closes: #999567), > > (Cherry-picked from 1:1.30.1-7ubuntu3.1) > ! - CVE-2022-48174 (Closes: #1059049) > > * Backport patch for CVE-2023-42364. This patch also covers > > CVE-2023-42365 (Closes: #1059051, #1059052) > > > > -- Tobias Frost <[email protected]> Sun, 19 Jan 2025 10:30:58 +0100 > > > I would be very interested to know why you came to this conclusion, > > as > > I can't find any reference to it in the corresponding bug tracker > > entry: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049 > > This creates the question why the bits in the tracker were not > updated > properly. I'll ask around behind the curtain. > > Christoph
