On 1/31/26 19:19, Tobias Frost wrote:
Hi Michael,
I'm reaching out in regards of updates of busybox in bookworm.
Around a year ago I've uploaded fixes to LTS (bullseye), but
some of the fixed CVEs are currently unfixed in newer releases,
especially in bookworm and I'd like to close this gap.
As "busybox" is listed as one where the maintainers would like
to be involved in LTS updates, I'm reaching out to coordinate this
update.
The plan would be to at least close the gap in bookworm and at least fix
everything fixed in bullseye.
What do you think, how should be approach this issue? I can, as part of
the LTS effort, take a look at bullseye, but if you prefer to take a
look yourself that would be appreciated too.
Please definitely do the fixes in bookworm if you're energetic enough
to fix them.
Which fixes are they, anyway? Are you talking about fixes to the 4 CVEs
listed for bookworm but not for trixie, -- CVE-2022-48174 (ash),
CVE-2023-42363 (uaf xasprintf), CVE-2023-42364 (uaf awk pattern),
CVE-2023-42365 (uaf awk copyvar)? Or is it something else?
Or do you think about the other vulns still listed for trixie and sid too?
Thanks,
/mjt
