UbuntuUpdates.org

Package "busybox"

Name: busybox

Description:

Tiny utilities for small and embedded systems
Latest version: 1:1.30.1-4ubuntu6.4
Release: focal (20.04)
Level: updates
Repository: universe
Homepage: http://www.busybox.net

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "busybox"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "busybox" in Focal

Repository Area Version
base main 1:1.30.1-4ubuntu6
base universe 1:1.30.1-4ubuntu6
security main 1:1.30.1-4ubuntu6.4
security universe 1:1.30.1-4ubuntu6.4
updates main 1:1.30.1-4ubuntu6.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:1.30.1-4ubuntu6.4 2021-12-07 15:07:32 UTC

  busybox (1:1.30.1-4ubuntu6.4) focal-security; urgency=medium

  * SECURITY UPDATE: invalid free or segfault via gzip data
    - debian/patches/CVE-2021-28831.patch: fix DoS if gzip is corrupt in
      archival/libarchive/decompress_gunzip.c.
    - CVE-2021-28831
  * SECURITY UPDATE: OOB read in unlzma
    - debian/patches/CVE-2021-42374.patch: fix a case where we could read
      before beginning of buffer in archival/libarchive/decompress_unlzma.c,
      testsuite/unlzma.tests.
    - CVE-2021-42374
  * SECURITY UPDATE: multiple security issues in awk
    - debian/patches/CVE-2021-423xx-awk.patch: backport awk.c from
      busybox 1.34.1.
    - CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381,
      CVE-2021-42382, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

 -- Marc Deslauriers <email address hidden> Wed, 24 Nov 2021 14:02:55 -0500
Source diff to previous version
CVE-2021-28831 decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentatio
CVE-2021-42374 An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompres
CVE-2021-42378 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i
CVE-2021-42379 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_inp
CVE-2021-42380 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar f
CVE-2021-42381 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_ini
CVE-2021-42382 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s
CVE-2021-42384 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_s
CVE-2021-42385 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate
CVE-2021-42386 A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc

Version: 1:1.30.1-4ubuntu6.3 2020-11-25 01:11:33 UTC

  busybox (1:1.30.1-4ubuntu6.3) focal; urgency=medium

  * cherry-pick settimeofday for glibc v2.31+ compatibility fix for upstream
    (LP: #1888543)

 -- Balint Reczey <email address hidden> Wed, 11 Nov 2020 13:15:02 +0100
Source diff to previous version
1888543 hwclock: fails to set time on glibc 2.31

Version: 1:1.30.1-4ubuntu6.2 2020-09-22 16:07:15 UTC

  busybox (1:1.30.1-4ubuntu6.2) focal-security; urgency=medium

  * SECURITY UPDATE: missing ssl cert validation in wget applet
    - debian/patches/CVE-2018-1000500-2.patch: fix openssl options for cert
      verification in networking/wget.c.
    - CVE-2018-1000500

 -- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 09:47:43 -0400
Source diff to previous version
CVE-2018-1000500 Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This at

Version: 1:1.30.1-4ubuntu6.1 2020-06-16 02:07:01 UTC

  busybox (1:1.30.1-4ubuntu6.1) focal; urgency=medium

  * Enable TLS verification with OpenSSL. LP: #1879533
  * Enable TLS in initramfs flavour of wget applet, requires openssl. LP:
    #1879525

 -- Dimitri John Ledkov <email address hidden> Tue, 19 May 2020 16:16:23 +0100
1879533 busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it


About   -   Send Feedback to @ubuntu_updates