[Buildroot] [PATCH] package/busybox: fix CVE-2022-28391
Peter Korsgaard
peter at korsgaard.com
Thu Sep 29 20:21:03 UTC 2022
>>>>> "Quentin" == Quentin Schulz <foss+buildroot at 0leil.net> writes:
> From: Quentin Schulz <quentin.schulz at theobroma-systems.com>
> The patches have been used by Alpine for 5 months now and they were
> posted on the Busybox mailing list mid-July with no review or comment.
> According to Ariadne Conill[1] - though NVD CVSS 3.x Base Score seems to
> disagree - this has a low security impact so we could probably just wait
> for upstream to merge the patches or implement it the way they want.
> Considering those patches have been public for 5 months and upstream
> hasn't acted until now, let's take the patches from the mailing list
> anyway as there's no indication the CVEs will be fixed upstream soon.
> [1] https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
> Cc: Quentin Schulz <foss+buildroot at 0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz at theobroma-systems.com>
> ---
> Cc'ing Peter for backport to stable releases
> Only build tested
> git context depends on
> https://lore.kernel.org/buildroot/20220919114757.1076737-1-foss+buildroot@0leil.net/
This is not a great situation, but OK - Given that it has been in alpine
for so long already.
Committed to 2022.02.x, 2022.05.x and 2022.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list