Is this the appropriate place to ask for a new release of BusyBox to be published? Again, the fix was merged to the 1_32_stable branch via https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd. But as it relates to a security issue, it would be great to get it into a formal release as soon as possible such that the BusyBox docker image we use can pull that released version. If this should be requested via some other vehicle, please let me know.
-----Original Message----- From: Mousaw, Tim Sent: Wednesday, April 28, 2021 12:47 PM To: Peter Korsgaard <pe...@korsgaard.com> Cc: Christophe Leroy <christophe.le...@csgroup.eu>; busybox@busybox.net Subject: RE: CVE-2021-28831 I got a response on https://github.com/docker-library/busybox/issues/101: - We strive to follow upstream releases and so don't really backport patches. Once there is a release available on https://busybox.net/, we'll publish a new image. So, could a new release of BusyBox please be published? I'm guessing it would be 1.32.2? Is it better to file a ticket to the BusyBox Bug and Patch Tracking system to request the new release? -----Original Message----- From: Mousaw, Tim Sent: Wednesday, April 28, 2021 11:15 AM To: Peter Korsgaard <pe...@korsgaard.com> Cc: Christophe Leroy <christophe.le...@csgroup.eu>; busybox@busybox.net Subject: RE: CVE-2021-28831 Thanks again for the quick reply. I don't know why I assumed the maintainers of BusyBox would also maintain the docker images published. I filed https://github.com/docker-library/busybox/issues/101 for the BusyBox docker image. Not sure if this will require a new release to be published in order to create the docker image. -----Original Message----- From: Peter Korsgaard <jac...@gmail.com> On Behalf Of Peter Korsgaard Sent: Wednesday, April 28, 2021 10:41 AM To: Mousaw, Tim <tmou...@ptc.com> Cc: Christophe Leroy <christophe.le...@csgroup.eu>; busybox@busybox.net Subject: Re: CVE-2021-28831 External email from: jac...@gmail.com >>>>> "Mousaw," == Mousaw, Tim <tmou...@ptc.com> writes: > Thanks for the quick replies. > So, once this was merged, did the 1.32.1 image tag of the BusyBox > docker > image get rebuilt with it? From what I can tell, this is the > image tag > that gets pulled when the "latest" tag is used. Sorry, I have no idea who owns/builds that docker image, but given that this was added after 1.32.1 was tagged, I would NOT expect it to be included in a 1.32.1 build: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.buildroot.org%2Fbusybox%2Flog%2F%3Fh%3D1_32_stable&data=04%7C01%7Ctmousaw%40ptc.com%7Cc2a60ca920074470082f08d90a53b626%7Cb9921086ff774d0d828acb3381f678e2%7C0%7C0%7C637552176929051043%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FSUYh4PrpHEwurAHFiVzSrZYN1lzyEzb711Sa4gXz8A%3D&reserved=0 -- Bye, Peter Korsgaard _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox