'RE: CVE-2021-28831'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    RE: CVE-2021-28831
From:       "Mousaw, Tim" <tmousaw () ptc ! com>
Date:       2021-04-28 16:47:14
Message-ID: MN2PR17MB367859E72F59780198E27C2CB4409 () MN2PR17MB3678 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]

I got a response on https://github.com/docker-library/busybox/issues/101:
- We strive to follow upstream releases and so don't really backport patches. Once \
there is a release available on https://busybox.net/, we'll publish a new image.

So, could a new release of BusyBox please be published? I'm guessing it would be \
1.32.2? Is it better to file a ticket to the BusyBox Bug and Patch Tracking system to \
request the new release?

-----Original Message-----
From: Mousaw, Tim 
Sent: Wednesday, April 28, 2021 11:15 AM
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>; busybox@busybox.net
Subject: RE: CVE-2021-28831

Thanks again for the quick reply. I don't know why I assumed the maintainers of \
BusyBox would also maintain the docker images published. I filed \
https://github.com/docker-library/busybox/issues/101 for the BusyBox docker image. \
Not sure if this will require a new release to be published in order to create the \
docker image.

-----Original Message-----
From: Peter Korsgaard <jacmet@gmail.com> On Behalf Of Peter Korsgaard
Sent: Wednesday, April 28, 2021 10:41 AM
To: Mousaw, Tim <tmousaw@ptc.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>; busybox@busybox.net
Subject: Re: CVE-2021-28831

External email from: jacmet@gmail.com

> > > > > "Mousaw," == Mousaw, Tim <tmousaw@ptc.com> writes:

 > Thanks for the quick replies.
 > So, once this was merged, did the 1.32.1 image tag of the BusyBox  > docker image \
get rebuilt with it? From what I can tell, this is the  > image tag that gets pulled \
when the "latest" tag is used.

Sorry, I have no idea who owns/builds that docker image, but given that this was \
added after 1.32.1 was tagged, I would NOT expect it to be included in a 1.32.1 \
build:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.buildroot.org%2F \
busybox%2Flog%2F%3Fh%3D1_32_stable&amp;data=04%7C01%7Ctmousaw%40ptc.com%7Cc2a60ca92007 \
4470082f08d90a53b626%7Cb9921086ff774d0d828acb3381f678e2%7C0%7C0%7C637552176929051043%7 \
CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0 \
%3D%7C1000&amp;sdata=%2FSUYh4PrpHEwurAHFiVzSrZYN1lzyEzb711Sa4gXz8A%3D&amp;reserved=0

--
Bye, Peter Korsgaard

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

[prev in list] [next in list] [prev in thread] [next in thread] 