Sicherheit: Mehrere Probleme in busybox

Lesezeichen hinzufügen

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2021-c52c0fe490
2021-11-25 00:57:41.647591
-------------------------------------------------------------------------------
-

Name : busybox
Product : Fedora 34
Version : 1.34.1
Release : 1.fc34
URL : http://www.busybox.net
Summary : Statically linked binary providing simplified versions of system
commands
Description :
Busybox is a single binary which includes versions of a large number
of system commands, including a shell. This package can be very
useful for recovering from certain types of system failures,
particularly those involving broken shared libraries.

-------------------------------------------------------------------------------
-
Update Information:

Update to 1.34.1. Resolves CVE-2021-42373 CVE-2021-42374 CVE-2021-42375
CVE-2021-42376 CVE-2021-42377 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380
CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385
CVE-2021-42386 (Fedora 35+ already have 1.34.1)
-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Sep 30 2021 Tom Callaway <spot@fedoraproject.org> - 1:1.34.1-1
- update to 1.34.1
* Thu Aug 19 2021 Tom Callaway <spot@fedoraproject.org> - 1:1.34.0-1
- update to 1.34.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> -
1:1.33.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #2023876 - CVE-2021-42373 busybox: NULL pointer dereference in man
applet leads to denial of service when a section name is supplied but no page argument is given
https://bugzilla.redhat.com/show_bug.cgi?id=2023876
[ 2 ] Bug #2023881 - CVE-2021-42374 busybox: out-of-bounds read in unlzma
applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed
https://bugzilla.redhat.com/show_bug.cgi?id=2023881
[ 3 ] Bug #2023888 - CVE-2021-42375 busybox: incorrect handling of a special
element in ash applet leads to denial of service when processing a crafted shell command
https://bugzilla.redhat.com/show_bug.cgi?id=2023888
[ 4 ] Bug #2023891 - CVE-2021-42376 busybox: NULL pointer dereference in hush
applet leads to denial of service when processing a crafted shell command
https://bugzilla.redhat.com/show_bug.cgi?id=2023891
[ 5 ] Bug #2023895 - CVE-2021-42377 busybox: an attacker-controlled pointer
free in hush applet leads to denial of service and possible code execution when processing a crafted shell command
https://bugzilla.redhat.com/show_bug.cgi?id=2023895
[ 6 ] Bug #2023900 - CVE-2021-42378 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()
https://bugzilla.redhat.com/show_bug.cgi?id=2023900
[ 7 ] Bug #2023904 - CVE-2021-42379 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()
https://bugzilla.redhat.com/show_bug.cgi?id=2023904
[ 8 ] Bug #2023912 - CVE-2021-42380 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()
https://bugzilla.redhat.com/show_bug.cgi?id=2023912
[ 9 ] Bug #2023927 - CVE-2021-42381 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()
https://bugzilla.redhat.com/show_bug.cgi?id=2023927
[ 10 ] Bug #2023929 - CVE-2021-42382 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()
https://bugzilla.redhat.com/show_bug.cgi?id=2023929
[ 11 ] Bug #2023931 - CVE-2021-42383 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()
https://bugzilla.redhat.com/show_bug.cgi?id=2023931
[ 12 ] Bug #2023933 - CVE-2021-42384 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()
https://bugzilla.redhat.com/show_bug.cgi?id=2023933
[ 13 ] Bug #2023936 - CVE-2021-42385 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()
https://bugzilla.redhat.com/show_bug.cgi?id=2023936
[ 14 ] Bug #2023938 - CVE-2021-42386 busybox: use-after-free in awk applet
leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()
https://bugzilla.redhat.com/show_bug.cgi?id=2023938
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-c52c0fe490' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure