Overview

File _patchinfo of Package patchinfo.42242

<patchinfo incident="42242">
  <issue tracker="cve" id="2025-60876"/>
  <issue tracker="cve" id="2025-46394"/>
  <issue tracker="bnc" id="1236670">busybox-addgroup: allocates GIDs outside SYS_GID_MIN/MAX range</issue>
  <issue tracker="bnc" id="1249237">busybox dumps core when called as unshare -mrpf sh on ppc64le</issue>
  <issue tracker="bnc" id="1253245">VUL-0: CVE-2025-60876: busybox: request line incorrectly neutralized mat lead to header injection</issue>
  <issue tracker="bnc" id="1241661">VUL-0: CVE-2025-46394: busybox: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are used when naming other files included in the archive</issue>
  <issue tracker="bnc" id="1247779">[Build 20250806][SELinux] openQA test fails in _root_BCI-tests_busybox_</issue>
  <packager>radolin</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for busybox</summary>
  <description>This update for busybox fixes the following issues:

This update for busybox fixes the following issues:

Security issues:

- CVE-2025-46394: Fixed tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661)
- CVE-2025-60876: Fixed HTTP request header injection in wget (CVE-2025-60876, bsc#1253245)

Other issues:

- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fixed unshare -mrpf sh core dump on ppc64le (bsc#1249237)
- Fixed adduser inside containers on an SELinux host (bsc#1247779)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places