Your message dated Sun, 01 Feb 2026 16:49:18 +0000
with message-id <[email protected]>
and subject line Bug#1120795: fixed in busybox 1:1.37.0-8
has caused the Debian Bug report #1120795,
regarding busybox: CVE-2025-60876
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120795: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120795
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: busybox
X-Debbugs-CC: [email protected]
Severity: normal
Tags: security
Hi,
The following vulnerability was published for busybox.
CVE-2025-60876[0]:
| BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other
| C0 control bytes in the HTTP request-target (path/query), allowing
| the request line to be split and attacker-controlled headers to be
| injected. To preserve the HTTP/1.1 request-line shape METHOD SP
| request-target SP HTTP/1.1, a raw space (0x20) in the request-target
| must also be rejected (clients should use %20).
Not sure if this has been reported upstream, the busybox bug tracker
is currently down:
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-60876
https://www.cve.org/CVERecord?id=CVE-2025-60876
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: busybox
Source-Version: 1:1.37.0-8
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Feb 2026 19:29:24 +0300
Source: busybox
Architecture: source
Version: 1:1.37.0-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1059053 1104008 1120795
Changes:
busybox (1:1.37.0-8) unstable; urgency=medium
.
* awk.c-fix-CVE-2023-42366-bug-15874.patch (Closes: #1059053)
* wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch (Closes: #1120795)
* two patches (one from upstream and missing hunk) to fix CVE-2025-46394:
archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394.patch
archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394-2.patch
(Closes: #1104008)
* config: deb,static: enable resize applet
* initramfs-tools/conf-hooks.d/busybox: remove,
initramfs-tools don't use $BUSYBOXDIR anymore
* initramfs-tools/hooks/zz-busybox:
print applets added to initramfs in verbose mode
Checksums-Sha1:
ac9d147fb13f9ac40fc1d0f0263900321f8c11c5 2377 busybox_1.37.0-8.dsc
b74b47cdc1f0dbefee61637e8d2a92c5d1b003f8 68496 busybox_1.37.0-8.debian.tar.xz
5f37b4ca3efbaa8383746edb177a7785508ad619 6058 busybox_1.37.0-8_source.buildinfo
Checksums-Sha256:
196bf4916aaf38495f4db2424278a6ba0b22231b67bc87cdc65524058c804367 2377
busybox_1.37.0-8.dsc
cc38cddf57e659b1c22263e6b0420060562c33174a94b4ff5d3ea83fc332b0df 68496
busybox_1.37.0-8.debian.tar.xz
1b5dc99cfaa2a8572557498ce38d73a9e007d824226d5483584057faa5bdcbed 6058
busybox_1.37.0-8_source.buildinfo
Files:
40b09cc850e7426230190501d8881c7f 2377 utils optional busybox_1.37.0-8.dsc
3d4b79f071db2e44b64565ee9cdcce0b 68496 utils optional
busybox_1.37.0-8.debian.tar.xz
c0eac692005ebc0faa6c665c3402ae41 6058 utils optional
busybox_1.37.0-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpf4AOCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfyTkliWbyCBZtgi6LoxVBGYZS2CJ6Nzpmq2nk0Jqht
VhYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAAkcRAApjKwbk32ABYz15V5eKCzXe7Q
i0eomjiW/f1ZbkwlPaxLZfLEtya18Tt7RfNQ9zsbGAu4Elh0APLzSBlyvVOetUmu
CWknpkCgb3ngcy1Zl6oPbjPuBYuhGc8BQavShQjCz9O9Zo/6gIYysdhPl9lizZPf
H5Jr6jvSANG7Qfthy3CPjL5FPAcmPtOMs8hAtDS75rcm8TJOQ4okYQL72UoPRUHx
YPdD3O5sTxSreuC5Ac9YPcYMjyn5ML8MLg9S9ULdqp1vXakLKMDJ+bBAweV9gcvt
djrI7nb4FF3iNxUCw5hXP0cz71FcU/QhioDV/HLYe5WlfXavFCgxild+bfMzrwXc
8ErSnFYqGlJBje6pClvq5t5NeF0v9/Y7gJMAhwXf9YwQ6KzmCoHCVPWvSMM1wyci
NxUvHWioch1Ut9nFkTcrdIDIJM2M2/0yuSWmekRjgkTpTkf+h6sBHt2+So/YKQbd
odUbx6v8Sr9WCKLi/tJ6VkonITqOZnzpV38PfUon6iSwZ6qbiUibUO+olrvITBiF
vnHwdFSqA9gpBklwlDfy/OSJKAXQYy8vHDg7Ig6HDfyENGpqQ6GOnvgakGJWI4E3
uBAxJdpuHiGPdVmpCbm2EaZs4gWOXEqiZ8CMJ2VLQNDxEp8fo7RPgDao4AEJExl4
9hfoASR+0iOaUzvbA0M=
=ye/B
-----END PGP SIGNATURE-----
pgpRE3skF7H28.pgp
Description: PGP signature
--- End Message ---
