Описание
Security update for busybox
This update for busybox fixes the following issues:
This update for busybox fixes the following issues:
Security issues:
- CVE-2025-46394: Fixed tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661)
- CVE-2025-60876: Fixed HTTP request header injection in wget (CVE-2025-60876, bsc#1253245)
Other issues:
- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fixed unshare -mrpf sh core dump on ppc64le (bsc#1249237)
- Fixed adduser inside containers on an SELinux host (bsc#1247779)
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise Server 15 SP5-LTSS
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise Server 15 SP6-LTSS
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP6
busybox-1.37.0-150500.10.14.1
busybox-static-1.37.0-150500.10.14.1
openSUSE Leap 15.6
busybox-1.37.0-150500.10.14.1
busybox-adduser-1.37.0-150500.7.9.1
busybox-attr-1.37.0-150500.7.9.1
busybox-bc-1.37.0-150500.7.9.1
busybox-bind-utils-1.37.0-150500.7.9.1
busybox-bzip2-1.37.0-150500.7.9.1
busybox-coreutils-1.37.0-150500.7.9.1
busybox-cpio-1.37.0-150500.7.9.1
busybox-diffutils-1.37.0-150500.7.9.1
busybox-dos2unix-1.37.0-150500.7.9.1
busybox-ed-1.37.0-150500.7.9.1
busybox-findutils-1.37.0-150500.7.9.1
busybox-gawk-1.37.0-150500.7.9.1
busybox-grep-1.37.0-150500.7.9.1
busybox-gzip-1.37.0-150500.7.9.1
busybox-hexedit-1.37.0-150500.7.9.1
busybox-hostname-1.37.0-150500.7.9.1
busybox-iproute2-1.37.0-150500.7.9.1
busybox-iputils-1.37.0-150500.7.9.1
busybox-kbd-1.37.0-150500.7.9.1
busybox-kmod-1.37.0-150500.7.9.1
busybox-less-1.37.0-150500.7.9.1
busybox-links-1.37.0-150500.7.9.1
busybox-man-1.37.0-150500.7.9.1
busybox-misc-1.37.0-150500.7.9.1
busybox-ncurses-utils-1.37.0-150500.7.9.1
busybox-net-tools-1.37.0-150500.7.9.1
busybox-netcat-1.37.0-150500.7.9.1
busybox-patch-1.37.0-150500.7.9.1
busybox-policycoreutils-1.37.0-150500.7.9.1
busybox-procps-1.37.0-150500.7.9.1
busybox-psmisc-1.37.0-150500.7.9.1
busybox-sed-1.37.0-150500.7.9.1
busybox-selinux-tools-1.37.0-150500.7.9.1
busybox-sendmail-1.37.0-150500.7.9.1
busybox-sh-1.37.0-150500.7.9.1
busybox-sha3sum-1.37.0-150500.7.9.1
busybox-sharutils-1.37.0-150500.7.9.1
busybox-static-1.37.0-150500.10.14.1
busybox-syslogd-1.37.0-150500.7.9.1
busybox-sysvinit-tools-1.37.0-150500.7.9.1
busybox-tar-1.37.0-150500.7.9.1
busybox-telnet-1.37.0-150500.7.9.1
busybox-testsuite-1.37.0-150500.10.14.1
busybox-tftp-1.37.0-150500.7.9.1
busybox-time-1.37.0-150500.7.9.1
busybox-traceroute-1.37.0-150500.7.9.1
busybox-tunctl-1.37.0-150500.7.9.1
busybox-udhcpc-1.37.0-150500.7.9.1
busybox-unzip-1.37.0-150500.7.9.1
busybox-util-linux-1.37.0-150500.7.9.1
busybox-vi-1.37.0-150500.7.9.1
busybox-vlan-1.37.0-150500.7.9.1
busybox-warewulf3-1.37.0-150500.10.14.1
busybox-wget-1.37.0-150500.7.9.1
busybox-which-1.37.0-150500.7.9.1
busybox-whois-1.37.0-150500.7.9.1
busybox-xz-1.37.0-150500.7.9.1
Ссылки
- Link for SUSE-SU-2026:0236-1
- E-Mail link for SUSE-SU-2026:0236-1
- SUSE Security Ratings
- SUSE Bug 1236670
- SUSE Bug 1241661
- SUSE Bug 1247779
- SUSE Bug 1249237
- SUSE Bug 1253245
- SUSE CVE CVE-2025-46394 page
- SUSE CVE CVE-2025-60876 page
Описание
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.14.1
Ссылки
- CVE-2025-46394
- SUSE Bug 1241661
Описание
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.14.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.14.1
Ссылки
- CVE-2025-60876
- SUSE Bug 1253245