CVE found in Busybox 1.34.1 and 1.35.0

[vvviren]

Both Busybox 1.34.1 and 1.35.0 are affected by Critical CVE https://nvd.nist.gov/vuln/detail/cve-2022-28391

Can you please provide any update on when is this going to be fixed with the expected version number.

Thank you

[addisonautomates]

Bumping this. Would like to know if this is on the roadmap. We currently use alpine as our gold image of source which has dependency on busybox 1.35.0 and we have 2 critical CVEs due to this version. Will likely have to abandon alpine and refactor a lot of our apps unless this will be remediated

[uGiFarukh]

Is the busybox project dead? Why no updates for almost 2 years?

[robang74]

On Mon, 2 Jan 2023 at 10:53, Farukh Khan ***@***.***> wrote: Is the busybox project dead? Why no updates for almost 2 years?

The last commit is 11 days old https://git.busybox.net/busybox/commit/?id=c4d296aa7c71d3dd812497c02c976124b66a0ff9 Best regards, R-

[wdlkmpx]

Yeah it's dead

[fxzxmic]

Is the busybox project dead? Why no updates for almost 2 years?

A new version was released a few days ago. How did you come to the conclusion that it was dead?

[vvviren]

Is the issue resolved in busybox 1.35.0 ? I don’t see info on this CVE in the changelog.

[fxzxmic]

Is the issue resolved in busybox 1.35.0 ? I don’t see info on this CVE in the changelog.

It should be fixed in version 1.36.0.

[fxzxmic]

This is just a mirror repository. Developers may not pay attention to the issue here.