Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
Attached to Project:
Community Packages
Opened by Jonas Witschel (diabonas) - Friday, 19 March 2021, 11:51 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 28 June 2021, 10:59 GMT
|
DetailsSummary The packages busybox and mkinitcpio-busybox are vulnerable to denial of service via CVE-2021-28831.
Guidance Applying commit f25d254dfd4243698c31a4f3153d4ac72aa9e9bd referenced below fixes the issue.
References
https://security.archlinux.org/AVG-1707 |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Monday, 28 June 2021, 10:59 GMT
Reason for closing: Fixed
Additional comments about closing: mkinitcpio-busybox-1.32.1-3
busybox 1.32.1-4
I have cherry-picked the fix and applied the patch that fixes this issue on mkinitcpio-busybox-1.32.1-3 which is on [testing] as of now. Please test it. @Eli @Sergej, please check the PKGBUILD/patch and apply to busybox, if applicable.
busybox cherry-picked the fix in busybox 1.32.1-4: backport fix for CVE-2021-28831 [1]
Box busybox and mkinitcpio-busybox are now on 1.33.1 which contains the fix as well.
[1] https://github.com/archlinux/svntogit-community/commit/998e1489d07acf7955617b61751e7fe843622c96