[OpenWrt-Devel] FYI: [gentoo-announce] [ GLSA 201503-13 ] BusyBox: Multiple vulnerabilities

Daniel Golle daniel at makrotopia.org
Sun Mar 29 13:33:05 EDT 2015 

This might be important...

----- Forwarded message from Mikle Kolyada <zlogene at gentoo.org> -----

Date: Sun, 29 Mar 2015 20:08:33 +0300
From: Mikle Kolyada <zlogene at gentoo.org>
To: gentoo-announce at lists.gentoo.org
Subject: [gentoo-announce] [ GLSA 201503-13 ] BusyBox: Multiple vulnerabilities
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201503-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: BusyBox: Multiple vulnerabilities
     Date: March 29, 2015
     Bugs: #515254, #537978
       ID: 201503-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in BusyBox, allowing context
dependent attackers to load arbitrary kernel modules, execute arbitrary
files, or cause a Denial of Service condition.

Background
==========

BusyBox is set of tools for embedded systems and is a replacement for
GNU Coreutils.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  sys-apps/busybox             < 1.23.1                  >= 1.23.1 

Description
===========

Multiple vulnerabilities have been discovered in BusyBox.  Please
review the CVE identifiers referenced below for details.

Impact
======

A context-dependent attacker can load kernel modules without privileges
by nullifying enforced module
prefixes. Execution of arbitrary files or a Denial of Service can be
caused through the included vulnerable LZO library.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All BusyBox users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.23.1"

References
==========

[ 1 ] CVE-2014-4607
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4607
[ 2 ] CVE-2014-9645
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9645

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201503-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security at gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5





----- End forwarded message -----
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list