CVE-2021-28831

Mousaw, Tim tmousaw at ptc.com
Mon May 3 12:08:09 UTC 2021


Is this the appropriate place to ask for a new release of BusyBox to be published? Again, the fix was merged to the 1_32_stable branch via https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd. But as it relates to a security issue, it would be great to get it into a formal release as soon as possible such that the BusyBox docker image we use can pull that released version. If this should be requested via some other vehicle, please let me know.

-----Original Message-----
From: Mousaw, Tim 
Sent: Wednesday, April 28, 2021 12:47 PM
To: Peter Korsgaard <peter at korsgaard.com>
Cc: Christophe Leroy <christophe.leroy at csgroup.eu>; busybox at busybox.net
Subject: RE: CVE-2021-28831

I got a response on https://github.com/docker-library/busybox/issues/101:
- We strive to follow upstream releases and so don't really backport patches. Once there is a release available on https://busybox.net/, we'll publish a new image.

So, could a new release of BusyBox please be published? I'm guessing it would be 1.32.2? Is it better to file a ticket to the BusyBox Bug and Patch Tracking system to request the new release?

-----Original Message-----
From: Mousaw, Tim 
Sent: Wednesday, April 28, 2021 11:15 AM
To: Peter Korsgaard <peter at korsgaard.com>
Cc: Christophe Leroy <christophe.leroy at csgroup.eu>; busybox at busybox.net
Subject: RE: CVE-2021-28831

Thanks again for the quick reply. I don't know why I assumed the maintainers of BusyBox would also maintain the docker images published. I filed https://github.com/docker-library/busybox/issues/101 for the BusyBox docker image. Not sure if this will require a new release to be published in order to create the docker image.

-----Original Message-----
From: Peter Korsgaard <jacmet at gmail.com> On Behalf Of Peter Korsgaard
Sent: Wednesday, April 28, 2021 10:41 AM
To: Mousaw, Tim <tmousaw at ptc.com>
Cc: Christophe Leroy <christophe.leroy at csgroup.eu>; busybox at busybox.net
Subject: Re: CVE-2021-28831

External email from: jacmet at gmail.com

>>>>> "Mousaw," == Mousaw, Tim <tmousaw at ptc.com> writes:

 > Thanks for the quick replies.
 > So, once this was merged, did the 1.32.1 image tag of the BusyBox  > docker image get rebuilt with it? From what I can tell, this is the  > image tag that gets pulled when the "latest" tag is used.

Sorry, I have no idea who owns/builds that docker image, but given that this was added after 1.32.1 was tagged, I would NOT expect it to be included in a 1.32.1 build:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.buildroot.org%2Fbusybox%2Flog%2F%3Fh%3D1_32_stable&data=04%7C01%7Ctmousaw%40ptc.com%7Cc2a60ca920074470082f08d90a53b626%7Cb9921086ff774d0d828acb3381f678e2%7C0%7C0%7C637552176929051043%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FSUYh4PrpHEwurAHFiVzSrZYN1lzyEzb711Sa4gXz8A%3D&reserved=0

--
Bye, Peter Korsgaard



More information about the busybox mailing list