02.03.2025 13:33, Tobias Frost wrote:
Dear Busybox maintainers,
currently stable has three open CVEs which are already fixed for LTS
already but remain unfixed for stable. We'd like to avoid a situation
where people updating from an LTS release to stable and then regress
into having the CVEs not fixed.
For this I'd like to coordinate with you an update for stable, targeting
CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174
Those CVEs are also unfixed in unstable, so a path fixing those busybox
vulnerabilties needs to be fixed in unstable first.
The 3 CVEs mentioned by you are fixed by bb 1.37, which is in trixie for
quite a while. They're not fixed in bookworm though, as you correctly
noted.
For unstable, I can prepare a patchset for unstable, I can do a NMU for
the issues, or of course you can fix those issues yourself
I'm not sure I follow, since it's fixed in unstable for a long time.
We can fix it for stable (bookworm) for sure, but I'm kinda skeptical
here, - the issues are minor, and I'm not sure it's worth to bother at
all. The stable and security teams have their own share of work already :)
You can prepare an update for bookworm together with the update for LTS
if you like, - I think this would be more productive, since you know
exactly what to do, as you're doing it for the LTS already. Or I can
do it in parallel with (or before) you, provided I got the commits
correctly:
CVE-2022-48174:
d417193cf37ca1005830d7e16f5fa7e1d8a44209
CVE-2023-42363:
fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa
CVE-2023-42364:
38335df9e9f45378c3407defd38b5b610578bdda
0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4
Thanks,
/mjt
