GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Dec 04, 2016 7:26 am Post subject: [ GLSA 201612-04 ] BusyBox |
 |
|
Gentoo Linux Security Advisory
Title: BusyBox: Multiple vulnerabilities (GLSA 201612-04)
Severity: normal
Exploitable: local, remote
Date: December 04, 2016
Bug(s): #564246, #577610
ID: 201612-04
Synopsis
Multiple vulnerabilities have been found in BusyBox, the worst of
which allows remote attackers to execute arbitrary code.
Background
BusyBox is a set of tools for embedded systems and is a replacement for
GNU Coreutils.
Affected Packages
Package: sys-apps/busybox
Vulnerable: < 1.24.2
Unaffected: >= 1.24.2
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in BusyBox. Please review
the CVE identifiers referenced below for details.
Impact
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
There is no known workaround at this time. However, on Gentoo, the
remote code execution vulnerability can be avoided if you don’t use
BusyBox’s udhcpc or build the package without the “ipv6” USE flag
enabled.
Resolution
All BusyBox users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.24.2"
|
References
CVE-2016-2147
CVE-2016-2148 |
|
News & Announcements
