Описание
Security update for busybox
This update for busybox fixes the following issues:
Security issues:
- CVE-2025-46394: Fixed tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661)
- CVE-2025-60876: Fixed HTTP request header injection in wget (CVE-2025-60876, bsc#1253245)
Other issues:
- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fixed unshare -mrpf sh core dump on ppc64le (bsc#1249237)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP7
busybox-1.37.0-150700.18.10.1
busybox-static-1.37.0-150700.18.10.1
Ссылки
- Link for SUSE-SU-2026:0235-1
- E-Mail link for SUSE-SU-2026:0235-1
- SUSE Security Ratings
- SUSE Bug 1236670
- SUSE Bug 1241661
- SUSE Bug 1249237
- SUSE Bug 1253245
- SUSE CVE CVE-2025-46394 page
- SUSE CVE CVE-2025-60876 page
Описание
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.10.1
SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.10.1
Ссылки
- CVE-2025-46394
- SUSE Bug 1241661
Описание
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Затронутые продукты
SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.10.1
SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.10.1
Ссылки
- CVE-2025-60876
- SUSE Bug 1253245