This bug was fixed in the package busybox - 1:1.37.0-7ubuntu1
---------------
busybox (1:1.37.0-7ubuntu1) resolute; urgency=medium
* Merge with Debian unstable. (LP: #2130136) Remaining changes:
- Add busybox-initramfs binary package and initramfs flavour:
- Add dirname from coreutils to the initramfs
- Enable the new klibc utility implementations, nuke and run-init
in the initramfs package; and also enable reboot. Doesn't yet make
klibc-utils irrelevant - we still use ipconfig, fstype, and nfsmount
- but it moves us much closer and should save a little bit of disk
space.
- Enable TLS in initramfs flavour of wget applet, requires openssl
- debian/config/pkg/initramfs: Enable the date applet with the same
options as the other variants for use in fixrtc and casper scripts.
- Prefer busybox cmds over klibc cmds where there is duplication.
- Move zz-busybox to busybox-initramfs to ensure we get links to all
the tools we need, stop shipping it anywhere else.
- d/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox:
Copy certs and openssl config for the casper+busybox-initramfs case.
- Add Ubuntu configuration for busybox binaries.
- test-bin.patch: Move test and friends to /bin.
- static-sh-alias.patch: Add static-sh alias name for ash, and install
/bin/static-sh symlink to busybox in busybox-static.
- d/config/pkg/{deb,static}: Enable chpasswd (needed by LXC).
* New Changes
- d/config/pkg/initramfs: archival-disallow-path-traversals-*.patch adds a
new
feature that was not configured in d/config/pkg/initramfs as
busybox-initramfs
is an Ubuntu only package. Adds in the default config to to the initramfs
conf.
- d/p/fix-start-stop-daemon-rust-coreutils.patch
rust-coreutils disallows running an executable by a different
name. This leads to "start-stop-daemon with both -x and -a"
to fail as it attempts to run /bin/false under a different
name, qwerty. Patch test to use the same executable as the
test does not check argv[0] difference
- busybox-static.links updated to be in usr/bin instead of bin.
(LP: #2139160)
busybox (1:1.37.0-7) unstable; urgency=medium
* patches/archival-disallow-path-traversals-CVE-2023-39810.patch
(Closes: #1055307, CVE-2023-39810)
* archival-disallow-path-traversals-CVE-2023-39810.patch:
use the correct "echo" when constructing the archive
* d/config/pkg/* CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION=y
* enable chattr and lsattr applets (Closes: #1119539)
* udeb: install all links in /usr/, do not touch /bin & /sbin
busybox (1:1.37.0-6) unstable; urgency=medium
* udeb config: remove wget applet
(wget-udeb is used for this for many years) (Closes: #1107392)
busybox (1:1.37.0-5) unstable; urgency=medium
* d/control: switch from Static-Built-Using back to Built-Using
(Closes: #1106796)
-- John Chittum <[email protected]> Wed, 14 Jan 2026 10:50:37
-0500
** Changed in: busybox (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2023-39810
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130136
Title:
Merge busybox from Debian Unstable for resolute
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2130136/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
