1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.BOOT

  • busybox security fixes

    From Sean Whitton@21:1/5 to All on Mon May 19 13:00:02 2025
    Hello busybox maintainers,

    I'm looking into the unfixed CVEs for busybox, funded by Freexian's LTS
    effort. This package is listed as one where the maintainers would like
    to be involved in LTS updates. May I ask whether you have any work
    pending to fix the CVEs in sid and trixie? And any pending work for a
    bookworm PU? I can help with all of those.

    Thanks.

    --
    Sean Whitton

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgrDVwZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQKjcEAC8Ut1NkVjhkKLlHkknCEeZ 6eeJEU3TJVY3QIforaIbZ7FbH3oMlE4yx0WNluw13AY+RNpDm0ibmsfyGGssFbJ/ Hk1wqFogcDSDZTh728BEu8NIe2qww7bSODThqmV+AT4NcNXuUpeSQCloAiPLrcou afJyimU5JCcUpzXGniADGcOmcJSwcleKu8wGpHbz9K0kT9OCnJzwqNnLjwI1e1NK 4N8d8BdEc89QtuSxCp8dc7n7TWvQi9JL2Bt5EFFaBdtUNndOobFuLITfuoMw9uux Hf3mpuMNCTqRVbCIbkl/msD8IHgqZ01B012SAyfblLJWQ3WQB87OeLQa5989nx36 9VI+qrRaLtAV4I0Hbe5utMvj6czx69VJKAcir+jzK4dg7IlXGpPgaNBft/qyC8Sn Xi1ri8RDs3F0605yb8FMHVvzVcjMKldnL06BrJEa/uz3kPsR3RJCbevcjOPMR5je MEtOOZ6ib5ZXj2hY+uPyT3emRE6WrBByoFWjuRDyh3hSBryTtZ1rGO4/+56cr5b+ /sWCNNvI4yqIY8Fnfan5p6bw3gi8S4nkv1c9ZZ79skm3QcvAU+za79re7WfujZ61 imwz4poxgSQaXVoKcVDYrRm5xyrgMVs9SiX5dsdmzZ6zXqqNYzGWrDDsilxlItSr T99kUbLtyv0E17qHXpQCnA==OWx9
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Us
  • From Michael Tokarev@21:1/5 to Sean Whitton on Mon May 19 13:40:01 2025
    On 19.05.2025 13:52, Sean Whitton wrote:
    Hello busybox maintainers,

    I'm looking into the unfixed CVEs for busybox, funded by Freexian's LTS effort. This package is listed as one where the maintainers would like
    to be involved in LTS updates. May I ask whether you have any work
    pending to fix the CVEs in sid and trixie? And any pending work for a bookworm PU? I can help with all of those.

    Which busybox CVE fixes needs to be in trixie or sid?

    I've been contacted before by Tobias Frost with exactly the same
    question, and all CVEs he mentioned are fixed in trixie for a long
    time. I'm not aware of other busybox CVEs so far, at least there
    are no debian bugs filed about this.

    If you have more details, I'm all ears.

    Thanks,

    /mjt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael Tokarev@21:1/5 to Michael Tokarev on Mon May 19 13:30:01 2025
    On 19.05.2025 14:22, Michael Tokarev wrote:
    On 19.05.2025 13:52, Sean Whitton wrote:
    Hello busybox maintainers,

    I'm looking into the unfixed CVEs for busybox, funded by Freexian's LTS
    effort.  This package is listed as one where the maintainers would like
    to be involved in LTS updates.  May I ask whether you have any work
    pending to fix the CVEs in sid and trixie?  And any pending work for a
    bookworm PU?  I can help with all of those.

    Which busybox CVE fixes needs to be in trixie or sid?

    Aha. I missed a few. Lemme take a closer look..

    /mjt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sean Whitton@21:1/5 to Michael Tokarev on Fri Jun 20 15:50:01 2025
    Hello Michael,

    On Mon 19 May 2025 at 02:22pm +03, Michael Tokarev wrote:

    On 19.05.2025 13:52, Sean Whitton wrote:
    Hello busybox maintainers,
    I'm looking into the unfixed CVEs for busybox, funded by Freexian's LTS
    effort. This package is listed as one where the maintainers would like
    to be involved in LTS updates. May I ask whether you have any work
    pending to fix the CVEs in sid and trixie? And any pending work for a
    bookworm PU? I can help with all of those.

    Which busybox CVE fixes needs to be in trixie or sid?

    I've been contacted before by Tobias Frost with exactly the same
    question, and all CVEs he mentioned are fixed in trixie for a long
    time. I'm not aware of other busybox CVEs so far, at least there
    are no debian bugs filed about this.

    If you have more details, I'm all ears.

    Do you have any updates here? There are still three CVEs unfixed in
    sid. LTS contributors may be able to help if you need it. Thanks.

    --
    Sean Whitton

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmhVZOoZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQD2fEACvzjmV1DBp9QG5t3ywPdry CrmWkk+rdpvgUAf+tySbnxjaPFZ+tGz0JyVN9VQzF6YBn2vTSz//HiRKnfW9KCQK 9cyXkEYR1XE2tWOuD9i2vU7qyh6jGPAOz1dBmyVOu4ubvN1rKiVtsRZbcLkoNbAX ewf/ib0Z9KKj/8J9bxJIp65Stz1F11BzmVCl8pgHuhoD2KjeCUJAOSsF/4HRwljL NBNRe8ThPJlPdWsYVOLw2ixrxfDlhB0u7cEOnGSr7UbX+5ILIzO0qXJb/GQnfcw0 VV7iuqslrtKsJQ6Dm+vWtWcdXmOQC5Q+VgtKKbA7oqwIGLSOTsHH7gA+re+YpRji 3TRd/gdHFsfBbMaD51+FC4tnnTpXAFrTbkpxxQnTsZSTrNKFG10djotFnLqdxSuD B1b0c/wNqox+ca54v5nJ/ZjWvGeVikprxSwQb31iKtOEV0KX1pwNjWSrA+UYUk9f 6/IMwrYhLLCDsDE8I4lVxfnTFcBFblCXQNlzhCl4Ul9u8OQeZSsHxA/s5GGSIRiG lZqkoJ6M5IDanPEsWix2Xu+RKYq+vPtUjHZdv1zLIE0sDSPYV2fSsSDBv95tu+YQ nuzeWmqTVFGRg+9pwHM9scmklAPlzqEtzn2cji4HVCHYY5kuXEHfJV3liHw4Idth 9luyL7QH39Sk95euducyeA==OrHj
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Us