Hi Michael, thanks for the quick reply!
On Sun, Feb 01, 2026 at 12:17:12AM +0300, Michael Tokarev wrote: > On 1/31/26 19:19, Tobias Frost wrote: > > Hi Michael, > > > > I'm reaching out in regards of updates of busybox in bookworm. > > Around a year ago I've uploaded fixes to LTS (bullseye), but > > some of the fixed CVEs are currently unfixed in newer releases, > > especially in bookworm and I'd like to close this gap. > > > > As "busybox" is listed as one where the maintainers would like > > to be involved in LTS updates, I'm reaching out to coordinate this > > update. > > > > The plan would be to at least close the gap in bookworm and at least fix > > everything fixed in bullseye. > > What do you think, how should be approach this issue? I can, as part of > > the LTS effort, take a look at bullseye, but if you prefer to take a > > look yourself that would be appreciated too. > > Please definitely do the fixes in bookworm if you're energetic enough > to fix them. > > Which fixes are they, anyway? Are you talking about fixes to the 4 CVEs > listed for bookworm but not for trixie, -- CVE-2022-48174 (ash), > CVE-2023-42363 (uaf xasprintf), CVE-2023-42364 (uaf awk pattern), > CVE-2023-42365 (uaf awk copyvar)? Or is it something else? > > Or do you think about the other vulns still listed for trixie and sid too? The bookworm update should target at least CVE-2022-48174, CVE-2023-42364, CVE-2023-42365 - those are the "gap" between bullseye and bookworm. It won't hurt to fix CVE-2023-42363, too, as thise one is already fixed in trixie and newer. So I will primarly target the above. CVE-2023-39810 would be nice too, but that will trigger an need to update trixie as well. It's triaged as non-dsa by the security team, so this would become an stable-proposed-update. (Let me know your thoughts about this one.) For what I can see (it seems that upstream bug tracker is restricting access), the 4 open CVEs in sid/testing doesn't have a resolution yet. Do you by chance have an upstream contact to ask about them? Cheers, tobi > Thanks, > > /mjt
signature.asc
Description: PGP signature
