Описание
Security update for busybox
This update for busybox fixes the following issues:
Security fixes:
- CVE-2025-60876: HTTP request header injection in wget (bsc#1253245).
- CVE-2025-46394: Fixed tar hidden files via escape sequence (bsc#1241661).
Other fixes:
- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237)
Список пакетов
openSUSE Leap 16.0
busybox-1.37.0-160000.4.1
busybox-static-1.37.0-160000.4.1
busybox-warewulf3-1.37.0-160000.4.1
Ссылки
- SUSE Security Ratings
- SUSE Bug 1236670
- SUSE Bug 1241661
- SUSE Bug 1249237
- SUSE Bug 1253245
- SUSE CVE CVE-2025-46394 page
- SUSE CVE CVE-2025-60876 page
Описание
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Затронутые продукты
openSUSE Leap 16.0:busybox-1.37.0-160000.4.1
openSUSE Leap 16.0:busybox-static-1.37.0-160000.4.1
openSUSE Leap 16.0:busybox-warewulf3-1.37.0-160000.4.1
Ссылки
- CVE-2025-46394
- SUSE Bug 1241661
Описание
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).
Затронутые продукты
openSUSE Leap 16.0:busybox-1.37.0-160000.4.1
openSUSE Leap 16.0:busybox-static-1.37.0-160000.4.1
openSUSE Leap 16.0:busybox-warewulf3-1.37.0-160000.4.1
Ссылки
- CVE-2025-60876
- SUSE Bug 1253245