Dear Busybox maintainers, currently stable has three open CVEs which are already fixed for LTS already but remain unfixed for stable. We'd like to avoid a situation where people updating from an LTS release to stable and then regress into having the CVEs not fixed.
For this I'd like to coordinate with you an update for stable, targeting CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174 Those CVEs are also unfixed in unstable, so a path fixing those busybox vulnerabilties needs to be fixed in unstable first. For unstable, I can prepare a patchset for unstable, I can do a NMU for the issues, or of course you can fix those issues yourself What would be your preferenced way to solve this issues? Once fixed in unstable, I'll offer to help with an s-p-u as well, just let me know how you'd like to tackle it. At the LTS Team, we track this issue with this issue ticket: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/186 (You're welcome to directly comment there.) Cheers, -- tobi (as LTS team contributor)
signature.asc
Description: PGP signature
