Hi Michael, (sorry for the late reply, somehow I've missed to send it out...)
On Fri, Mar 07, 2025 at 09:03:06AM +0300, Michael Tokarev wrote: > 02.03.2025 13:33, Tobias Frost wrote: > > Dear Busybox maintainers, > > > > currently stable has three open CVEs which are already fixed for LTS > > already but remain unfixed for stable. We'd like to avoid a situation > > where people updating from an LTS release to stable and then regress > > into having the CVEs not fixed. > > > > For this I'd like to coordinate with you an update for stable, targeting > > CVE-2023-42364, CVE-2023-42365 and CVE-2022-48174 > > > > Those CVEs are also unfixed in unstable, so a path fixing those busybox > > vulnerabilties needs to be fixed in unstable first. > > The 3 CVEs mentioned by you are fixed by bb 1.37, which is in trixie for > quite a while. They're not fixed in bookworm though, as you correctly > noted. > > For unstable, I can prepare a patchset for unstable, I can do a NMU for > > the issues, or of course you can fix those issues yourself > > I'm not sure I follow, since it's fixed in unstable for a long time. I'm sorry, I've messed up here. You're right, those three are fixed already, > We can fix it for stable (bookworm) for sure, but I'm kinda skeptical > here, - the issues are minor, and I'm not sure it's worth to bother at > all. The stable and security teams have their own share of work already :) Well, background is that due when we fix issues in LTS we also try to get them fixed in newer releaes, so that users won't get a regression when updaring to a newer release, eg. from bullseye to bookworm. In my experience the release team is very open to this (especially if the update is small and targeted) > You can prepare an update for bookworm together with the update for LTS > if you like, - I think this would be more productive, since you know > exactly what to do, as you're doing it for the LTS already. Or I can > do it in parallel with (or before) you, provided I got the commits > correctly: > CVE-2022-48174: > d417193cf37ca1005830d7e16f5fa7e1d8a44209 > > CVE-2023-42363: > fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa > > CVE-2023-42364: > 38335df9e9f45378c3407defd38b5b610578bdda > 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 I'll happily prepare the s-p-u, thanks for the heads-up! > Thanks, > > /mjt
