Ubuntu
busybox package

Backport needed for 18.04 and 20.04 LTS (CVE-2021-42378)

Bug #1953337 reported by Jason-Morries Adam
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
busybox (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Dear community,

Qualys reports a finding on our Ubuntu 18.04 and Ubuntu 20.04 instances because of CVE-2021-42378.
I can see that there is already a fix for Ubuntu 22.04. When will the fix be released for the LTS versions 18.04 and 20.04?

I can see the finding is monitored at https://ubuntu.com/security/CVE-2021-42378, but the CVSS3 scoring is 7.2, so I think the rating "high" would be better. Or is there any reason why "low" is ok?

Thanks in advance.

Best regards.

CVE References

Jason-Morries Adam (jasonmadam)
information type: Private Security → Public Security
information type: Public Security → Private Security
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

It's "low" because I don't believe our use of busybox runs untrusted awk scripts.

There are test packages available in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

They will probably be released this week.

Revision history for this message
Jason-Morries Adam (jasonmadam) wrote :

Thank you very much!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This was released today: https://ubuntu.com/security/notices/USN-5179-1

Changed in busybox (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.