Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-42363 (GCVE-0-2023-42363)
Vulnerability from cvelistv5 – Published: 2023-11-27 00:00 – Updated: 2024-08-02 19:16
VLAI?
EPSS
Summary
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:50.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T21:53:07.527829",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-42363",
"datePublished": "2023-11-27T00:00:00",
"dateReserved": "2023-09-08T00:00:00",
"dateUpdated": "2024-08-02T19:16:50.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:busybox:busybox:1.36.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F729D66A-538E-421E-961F-8A484E6C6106\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 una vulnerabilidad de use-after-free en la funci\\u00f3n xasprintf en xfuncs_printf.c:344 en BusyBox v.1.36.1.\"}]",
"id": "CVE-2023-42363",
"lastModified": "2024-11-21T08:22:28.403",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
"published": "2023-11-27T22:15:07.940",
"references": "[{\"url\": \"https://bugs.busybox.net/show_bug.cgi?id=15865\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://bugs.busybox.net/show_bug.cgi?id=15865\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-42363\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-11-27T22:15:07.940\",\"lastModified\":\"2024-11-21T08:22:28.403\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 una vulnerabilidad de use-after-free en la funci\u00f3n xasprintf en xfuncs_printf.c:344 en BusyBox v.1.36.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:busybox:busybox:1.36.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F729D66A-538E-421E-961F-8A484E6C6106\"}]}]}],\"references\":[{\"url\":\"https://bugs.busybox.net/show_bug.cgi?id=15865\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugs.busybox.net/show_bug.cgi?id=15865\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
GSD-2023-42363
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-42363",
"id": "GSD-2023-42363"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-42363"
],
"details": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"id": "GSD-2023-42363",
"modified": "2023-12-13T01:20:21.526777Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-42363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.busybox.net/show_bug.cgi?id=15865",
"refsource": "MISC",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:busybox:busybox:1.36.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-42363"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.busybox.net/show_bug.cgi?id=15865",
"refsource": "",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-11-30T05:06Z",
"publishedDate": "2023-11-27T22:15Z"
}
}
}
CERTFR-2026-AVI-0101
Vulnerability from certfr_avis - Published: 2026-01-29 - Updated: 2026-01-29
De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Siemens | SCALANCE | SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XCH328 (6GK5328-4TS01-2EC2) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XCM328 (6GK5328-4TS01-2AC2) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XCM324 (6GK5324-8TS01-2AC2) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) versions antérieures à 3.3 | ||
| Siemens | SCALANCE | SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) versions antérieures à 3.3 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCH328 (6GK5328-4TS01-2EC2) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCM332 (6GK5332-0GA01-2AC2) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCM328 (6GK5328-4TS01-2AC2) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XCM324 (6GK5324-8TS01-2AC2) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
},
{
"description": "SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) versions ant\u00e9rieures \u00e0 3.3",
"product": {
"name": "SCALANCE",
"vendor": {
"name": "Siemens",
"scada": true
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-9681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9681"
},
{
"name": "CVE-2025-9231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9231"
},
{
"name": "CVE-2025-10148",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-10148"
},
{
"name": "CVE-2025-4330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4330"
},
{
"name": "CVE-2025-4138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4138"
},
{
"name": "CVE-2025-32433",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32433"
},
{
"name": "CVE-2025-4373",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4373"
},
{
"name": "CVE-2025-39853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39853"
},
{
"name": "CVE-2025-39865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39865"
},
{
"name": "CVE-2024-41996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41996"
},
{
"name": "CVE-2025-27587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27587"
},
{
"name": "CVE-2023-39810",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39810"
},
{
"name": "CVE-2025-1390",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1390"
},
{
"name": "CVE-2025-39864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39864"
},
{
"name": "CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"name": "CVE-2024-11053",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11053"
},
{
"name": "CVE-2024-7264",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7264"
},
{
"name": "CVE-2025-4517",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4517"
},
{
"name": "CVE-2025-38086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38086"
},
{
"name": "CVE-2025-4435",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4435"
},
{
"name": "CVE-2025-6141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6141"
},
{
"name": "CVE-2023-42365",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42365"
},
{
"name": "CVE-2024-12718",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12718"
},
{
"name": "CVE-2025-3360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3360"
},
{
"name": "CVE-2025-9232",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9232"
},
{
"name": "CVE-2024-52533",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52533"
},
{
"name": "CVE-2024-6874",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6874"
},
{
"name": "CVE-2025-38085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38085"
},
{
"name": "CVE-2022-48174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48174"
},
{
"name": "CVE-2025-39860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39860"
},
{
"name": "CVE-2023-42364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42364"
},
{
"name": "CVE-2025-39839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39839"
},
{
"name": "CVE-2025-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9086"
},
{
"name": "CVE-2023-7256",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-7256"
},
{
"name": "CVE-2024-6197",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6197"
},
{
"name": "CVE-2025-4516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4516"
},
{
"name": "CVE-2025-0665",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0665"
},
{
"name": "CVE-2024-8096",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8096"
},
{
"name": "CVE-2025-39846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39846"
},
{
"name": "CVE-2024-8006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8006"
},
{
"name": "CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"name": "CVE-2025-38350",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38350"
},
{
"name": "CVE-2025-0725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0725"
},
{
"name": "CVE-2025-38498",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38498"
},
{
"name": "CVE-2023-42363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42363"
},
{
"name": "CVE-2025-38084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38084"
},
{
"name": "CVE-2025-39841",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39841"
},
{
"name": "CVE-2023-42366",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42366"
},
{
"name": "CVE-2025-0167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0167"
},
{
"name": "CVE-2025-38345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38345"
},
{
"name": "CVE-2024-47619",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47619"
}
],
"initial_release_date": "2026-01-29T00:00:00",
"last_revision_date": "2026-01-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0101",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Siemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
"vendor_advisories": [
{
"published_at": "2026-01-28",
"title": "Bulletin de s\u00e9curit\u00e9 Siemens SSA-089022",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
}
]
}
WID-SEC-W-2023-3011
Vulnerability from csaf_certbund - Published: 2023-11-27 23:00 - Updated: 2025-09-23 22:00Summary
BusyBox: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
BusyBox ist ein Computerprogramm, das verschiedene Standard-Unix-Dienstprogramme in einem einzelnen Programm vereint.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen in BusyBox ausnutzen, um einen Denial of Service Angriff durchzuführen oder unbekannte Auswirkungen zu verursachen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "BusyBox ist ein Computerprogramm, das verschiedene Standard-Unix-Dienstprogramme in einem einzelnen Programm vereint.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein lokaler Angreifer kann mehrere Schwachstellen in BusyBox ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder unbekannte Auswirkungen zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-3011 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3011.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-3011 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3011"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2023-11-27",
"url": "https://github.com/advisories/GHSA-j44g-3846-7q49"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2023-11-27",
"url": "https://github.com/advisories/GHSA-qqqj-6rp2-5pw4"
},
{
"category": "external",
"summary": "GitHub Advisory Database vom 2023-11-27",
"url": "https://github.com/advisories/GHSA-wm78-9prw-c5h4"
},
{
"category": "external",
"summary": "BusyBox Bugzilla vom 2023-11-27",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
},
{
"category": "external",
"summary": "BusyBox Bugzilla vom 2023-11-27",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15871"
},
{
"category": "external",
"summary": "BusyBox Bugzilla vom 2023-11-27",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15868"
},
{
"category": "external",
"summary": "NIST Database vom 2023-11-27",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366"
},
{
"category": "external",
"summary": "BusyBox Bugzilla vom 2023-11-27",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15874"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-6961-1 vom 2024-08-14",
"url": "https://ubuntu.com/security/notices/USN-6961-1"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4019 vom 2025-01-19",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15361-1 vom 2025-07-21",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TXPQWR4VYNLGUHEPNPESZ4R3VJ7CQR64/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03205-1 vom 2025-09-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022519.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03271-1 vom 2025-09-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022587.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03271-2 vom 2025-09-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-September/022612.html"
}
],
"source_lang": "en-US",
"title": "BusyBox: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-09-23T22:00:00.000+00:00",
"generator": {
"date": "2025-09-24T05:31:09.423+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2023-3011",
"initial_release_date": "2023-11-27T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-11-27T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-08-14T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-01-19T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-07-21T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-09-14T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-09-18T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-09-23T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.36.1",
"product": {
"name": "Open Source BusyBox 1.36.1",
"product_id": "T031371",
"product_identification_helper": {
"cpe": "cpe:/a:busybox:busybox:1.36.1"
}
}
}
],
"category": "product_name",
"name": "BusyBox"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T000126",
"T027843",
"T031371"
]
},
"release_date": "2023-11-27T23:00:00.000+00:00",
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T000126",
"T027843",
"T031371"
]
},
"release_date": "2023-11-27T23:00:00.000+00:00",
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T000126",
"T027843",
"T031371"
]
},
"release_date": "2023-11-27T23:00:00.000+00:00",
"title": "CVE-2023-42365"
},
{
"cve": "CVE-2023-42366",
"product_status": {
"known_affected": [
"2951",
"T002207",
"T000126",
"T027843",
"T031371"
]
},
"release_date": "2023-11-27T23:00:00.000+00:00",
"title": "CVE-2023-42366"
}
]
}
FKIE_CVE-2023-42363
Vulnerability from fkie_nvd - Published: 2023-11-27 22:15 - Updated: 2024-11-21 08:22
Severity ?
Summary
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://bugs.busybox.net/show_bug.cgi?id=15865 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.busybox.net/show_bug.cgi?id=15865 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:busybox:busybox:1.36.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F729D66A-538E-421E-961F-8A484E6C6106",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de use-after-free en la funci\u00f3n xasprintf en xfuncs_printf.c:344 en BusyBox v.1.36.1."
}
],
"id": "CVE-2023-42363",
"lastModified": "2024-11-21T08:22:28.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-27T22:15:07.940",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WM78-9PRW-C5H4
Vulnerability from github – Published: 2023-11-28 00:30 – Updated: 2023-11-30 06:33
VLAI?
Details
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Severity ?
5.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2023-42363"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-27T22:15:07Z",
"severity": "MODERATE"
},
"details": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"id": "GHSA-wm78-9prw-c5h4",
"modified": "2023-11-30T06:33:24Z",
"published": "2023-11-28T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42363"
},
{
"type": "WEB",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15865"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
OPENSUSE-SU-2024:14237-1
Vulnerability from csaf_opensuse - Published: 2024-08-01 00:00 - Updated: 2024-08-01 00:00Summary
trivy-0.54.1-1.1 on GA media
Notes
Title of the patch
trivy-0.54.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the trivy-0.54.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14237
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "trivy-0.54.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the trivy-0.54.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14237",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14237-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
}
],
"title": "trivy-0.54.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-08-01T00:00:00Z",
"generator": {
"date": "2024-08-01T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14237-1",
"initial_release_date": "2024-08-01T00:00:00Z",
"revision_history": [
{
"date": "2024-08-01T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-1.1.aarch64",
"product": {
"name": "trivy-0.54.1-1.1.aarch64",
"product_id": "trivy-0.54.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-1.1.ppc64le",
"product": {
"name": "trivy-0.54.1-1.1.ppc64le",
"product_id": "trivy-0.54.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-1.1.s390x",
"product": {
"name": "trivy-0.54.1-1.1.s390x",
"product_id": "trivy-0.54.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-1.1.x86_64",
"product": {
"name": "trivy-0.54.1-1.1.x86_64",
"product_id": "trivy-0.54.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:trivy-0.54.1-1.1.aarch64"
},
"product_reference": "trivy-0.54.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:trivy-0.54.1-1.1.ppc64le"
},
"product_reference": "trivy-0.54.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:trivy-0.54.1-1.1.s390x"
},
"product_reference": "trivy-0.54.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:trivy-0.54.1-1.1.x86_64"
},
"product_reference": "trivy-0.54.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:trivy-0.54.1-1.1.aarch64",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.ppc64le",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.s390x",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:trivy-0.54.1-1.1.aarch64",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.ppc64le",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.s390x",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:trivy-0.54.1-1.1.aarch64",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.ppc64le",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.s390x",
"openSUSE Tumbleweed:trivy-0.54.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-01T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
}
]
}
OPENSUSE-SU-2024:0268-1
Vulnerability from csaf_opensuse - Published: 2024-08-30 08:00 - Updated: 2024-08-30 08:00Summary
Security update for trivy
Notes
Title of the patch
Security update for trivy
Description of the patch
trivy was updated to fix the following issues:
Update to version 0.54.1:
* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
* docs: update ecosystem page reporting with plopsec.com app (#7262)
* feat(vex): retrieve VEX attestations from OCI registries (#7249)
* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)
* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)
* chore: show VEX notice for OSS maintainers in CI environments (#7246)
* feat(vuln): add `--pkg-relationships` (#7237)
* docs: show VEX cli pages + update config file page for VEX flags (#7244)
* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)
* feat(vex): VEX Repository support (#7206)
* fix(secret): skip regular strings contain secret patterns (#7182)
* feat: share build-in rules (#7207)
* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
* fix(cli): error on missing config file (#7154)
* fix(secret): update length of `hugging-face-access-token` (#7216)
* feat(sbom): add vulnerability support for SPDX formats (#7213)
* fix(secret): trim excessively long lines (#7192)
* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
* fix(server): pass license categories to options (#7203)
* feat(mariner): Add support for Azure Linux (#7186)
* docs: updates config file (#7188)
* refactor(fs): remove unused field for CompositeFS (#7195)
* fix: add missing platform and type to spec (#7149)
* feat(misconf): enabled China configuration for ACRs (#7156)
* fix: close file when failed to open gzip (#7164)
* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
* docs(misconf): add info about limitations for terraform plan json (#7143)
* chore: add VEX for Trivy images (#7140)
* chore: add VEX document and generator for Trivy (#7128)
* fix(misconf): do not evaluate TF when a load error occurs (#7109)
* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
* refactor(secret): move warning about file size after `IsBinary` check (#7123)
* feat: add openSUSE tumbleweed detection and scanning (#6965)
* test: add missing advisory details for integration tests database (#7122)
* fix: Add dependencyManagement exclusions to the child exclusions (#6969)
* fix: ignore nodes when listing permission is not allowed (#7107)
* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
* refactor(secret): add warning about large files (#7085)
* feat(nodejs): add license parser to pnpm analyser (#7036)
* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
* feat: add `log.FilePath()` function for logger (#7080)
* chore: bump golangci-lint from v1.58 to v1.59 (#7077)
* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)
* refactor: pass DB dir to trivy-db (#7057)
* docs: navigate to the release highlights and summary (#7072)
Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):
* feat(conda): add licenses support for `environment.yml` files (#6953)
* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
* feat: add memory cache backend (#7048)
* fix(sbom): use package UIDs for uniqueness (#7042)
* feat(php): add installed.json file support (#4865)
* docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
* fix: use embedded when command path not found (#7037)
* refactor: use google/wire for cache (#7024)
* fix(cli): show info message only when --scanners is available (#7032)
* chore: enable float-compare rule from testifylint (#6967)
* docs: Add sudo on commands, chmod before mv on install docs (#7009)
* fix(plugin): respect `--insecure` (#7022)
* feat(k8s)!: node-collector dynamic commands support (#6861)
* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)
* feat!: add clean subcommand (#6993)
* chore: use `!` for breaking changes (#6994)
* feat(aws)!: Remove aws subcommand (#6995)
* refactor: replace global cache directory with parameter passing (#6986)
* fix(sbom): use `purl` for `bitnami` pkg names (#6982)
* chore: bump Go toolchain version (#6984)
* refactor: unify cache implementations (#6977)
* docs: non-packaged and sbom clarifications (#6975)
* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)
* docs: delete unknown URL (#6972)
* refactor: use version-specific URLs for documentation references (#6966)
* refactor: delete db mock (#6940)
* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
* feat: Add local ImageID to SARIF metadata (#6522)
* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)
* fix(purl): add missed os types (#6955)
* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)
* fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)
* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)
* fix(misconf): handle source prefix to ignore (#6945)
* fix(misconf): fix parsing of engine links and frameworks (#6937)
* feat(misconf): support of selectors for all providers for Rego (#6905)
* fix(license): return license separation using separators `,`, `or`, etc. (#6916)
* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
* BREAKING(misconf): flatten recursive types (#6862)
* test: bump docker API to 1.45 (#6914)
* feat(sbom): migrate to `CycloneDX v1.6` (#6903)
* feat(image): Set User-Agent header for Trivy container registry requests (#6868)
* fix(debian): take installed files from the origin layer (#6849)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)
* feat(misconf): API Gateway V1 support for CloudFormation (#6874)
* feat(plugin): add support for nested archives (#6845)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)
* fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)
* chore: auto label discussions (#5259)
* docs: explain how VEX is applied (#6864)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
* feat(dart): use first version of constraint for dependencies using SDK version (#6239)
* fix(misconf): parsing numbers without fraction as int (#6834)
* fix(misconf): fix caching of modules in subdirectories (#6814)
* feat(misconf): add metadata to Cloud schema (#6831)
* test: replace embedded Git repository with dynamically created repository (#6824)
Update to version 0.52.2:
* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
Update to version 0.52.1:
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
* docs: explain how VEX is applied (#6864)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):
* fix(plugin): initialize logger (#6836)
* fix(cli): always output fatal errors to stderr (#6827)
* fix: close testfile (#6830)
* docs(julia): add scanner table (#6826)
* feat(python): add license support for `requirement.txt` files (#6782)
* docs: add more workarounds for out-of-disk (#6821)
* chore: improve error message for image not found (#6822)
* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)
* fix: clean up golangci lint configuration (#6797)
* fix(python): add package name and version validation for `requirements.txt` files. (#6804)
* feat(vex): improve relationship support in CSAF VEX (#6735)
* chore(alpine): add eol date for Alpine 3.20 (#6800)
* docs(plugin): add missed `plugin` section (#6799)
* fix: include packages unless it is not needed (#6765)
* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
* chore: replace interface{} with any (#6751)
* fix: close settings.xml (#6768)
* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)
* build: use main package instead of main.go (#6766)
* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
* docs: add info on adding compliance checks (#6275)
* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
* feat(nodejs): add v9 pnpm lock file support (#6617)
* feat(vex): support non-root components for products in OpenVEX (#6728)
* feat(python): add line number support for `requirement.txt` files (#6729)
* chore: respect timeout value in .golangci.yaml (#6724)
* fix: node-collector high and critical cves (#6707)
* Merge pull request from GHSA-xcq4-m2r3-cmrj
* chore: auto-bump golang patch versions (#6711)
* fix(misconf): don't shift ignore rule related to code (#6708)
* feat(plugin): specify plugin version (#6683)
* chore: enforce golangci-lint version (#6700)
* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)
* fix(go): add only non-empty root modules for `gobinaries` (#6710)
* refactor: unify package addition and vulnerability scanning (#6579)
* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
* feat(misconf): Add support for deprecating a check (#6664)
* feat: Add Julia language analyzer support (#5635)
* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
* fix(report): hide empty tables if all vulns has been filtered (#6352)
* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
* feat: add support for plugin index (#6674)
* docs: add support table for client server mode (#6498)
* fix: close APKINDEX archive file (#6672)
* fix(misconf): skip Rego errors with a nil location (#6666)
* refactor: move artifact types under artifact package to avoid import cycles (#6652)
* refactor(misconf): remove extrafs (#6656)
* refactor: re-define module structs for serialization (#6655)
* chore(misconf): Clean up iac logger (#6642)
* feat(misconf): support symlinks inside of Helm archives (#6621)
* feat(misconf): add Terraform 'removed' block to schema (#6640)
* refactor: unify Library and Package structs (#6633)
* fix: use of specified context to obtain cluster name (#6645)
* perf(misconf): parse rego input once (#6615)
* fix(misconf): skip Rego errors with a nil location (#6638)
* docs: link warning to both timeout config options (#6620)
* docs: fix usage of image-config-scanners (#6635)
Update to version 0.51.1:
* fix(fs): handle default skip dirs properly (#6628)
* fix(misconf): load cached tf modules (#6607)
* fix(misconf): do not use semver for parsing tf module versions (#6614)
* refactor: move setting scanners when using compliance reports to flag parsing (#6619)
* feat: introduce package UIDs for improved vulnerability mapping (#6583)
* perf(misconf): Improve cause performance (#6586)
* docs: trivy-k8s new experiance remove un-used section (#6608)
* docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
* feat(misconf): Use updated terminology for misconfiguration checks (#6476)
* docs: use `generic` link from `trivy-repo` (#6606)
* docs: update trivy k8s with new experience (#6465)
* feat: support `--skip-images` scanning flag (#6334)
* BREAKING: add support for k8s `disable-node-collector` flag (#6311)
* feat: add ubuntu 23.10 and 24.04 support (#6573)
* docs(go): add stdlib (#6580)
* feat(go): parse main mod version from build info settings (#6564)
* feat: respect custom exit code from plugin (#6584)
* docs: add asdf and mise installation method (#6063)
* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
* feat: add support `environment.yaml` files (#6569)
* fix: close plugin.yaml (#6577)
* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
* feat(go): add main module (#6574)
* feat: add relationships (#6563)
* docs: mention `--show-suppressed` is available in table (#6571)
* chore: fix sqlite to support loong64 (#6511)
* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
* docs: update info about config file (#6547)
* docs: remove RELEASE_VERSION from trivy.repo (#6546)
* fix(sbom): change error to warning for multiple OSes (#6541)
* fix(vuln): skip empty versions (#6542)
* feat(c): add license support for conan lock files (#6329)
* fix(terraform): Attribute and fileset fixes (#6544)
* refactor: change warning if no vulnerability details are found (#6230)
* refactor(misconf): improve error handling in the Rego scanner (#6527)
* feat(go): parse main module of go binary files (#6530)
* refactor(misconf): simplify the retrieval of module annotations (#6528)
* docs(nodejs): add info about supported versions of pnpm lock files (#6510)
* feat(misconf): loading embedded checks as a fallback (#6502)
* fix(misconf): Parse JSON k8s manifests properly (#6490)
* refactor: remove parallel walk (#5180)
* fix: close pom.xml (#6507)
* fix(secret): convert severity for custom rules (#6500)
* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
* fix: typo (#6283)
* docs(k8s,image): fix command-line syntax issues (#6403)
* fix(misconf): avoid panic if the scheme is not valid (#6496)
* feat(image): goversion as stdlib (#6277)
* fix: add color for error inside of log message (#6493)
* docs: fix links to OPA docs (#6480)
* refactor: replace zap with slog (#6466)
* docs: update links to IaC schemas (#6477)
* chore: bump Go to 1.22 (#6075)
* refactor(terraform): sync funcs with Terraform (#6415)
* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
* fix(terraform): eval submodules (#6411)
* refactor(terraform): remove unused options (#6446)
* refactor(terraform): remove unused file (#6445)
* fix(misconf): Escape template value correctly (#6292)
* feat(misconf): add support for wildcard ignores (#6414)
* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
* refactor(terraform): remove metrics collection (#6444)
* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
* fix(db): check schema version for image name only (#6410)
* feat(misconf): Support private registries for misconf check bundle (#6327)
* feat(cloudformation): inline ignore support for YAML templates (#6358)
* feat(terraform): ignore resources by nested attributes (#6302)
* perf(helm): load in-memory files (#6383)
* feat(aws): apply filter options to result (#6367)
* feat(aws): quiet flag support (#6331)
* fix(misconf): clear location URI for SARIF (#6405)
* test(cloudformation): add CF tests (#6315)
* fix(cloudformation): infer type after resolving a function (#6406)
* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
* fix: use `0600` perms for tmp files for post analyzers (#6386)
* fix(helm): scan the subcharts once (#6382)
* docs(terraform): add file patterns for Terraform Plan (#6393)
* fix(terraform): сhecking SSE encryption algorithm validity (#6341)
* fix(java): parse modules from `pom.xml` files once (#6312)
* fix(server): add Locations for `Packages` in client/server mode (#6366)
* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
* fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
* feat(java): add support licenses and graph for gradle lock files (#6140)
* feat(vex): consider root component for relationships (#6313)
* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
* chore: updates wazero to v1.7.0 (#6301)
* feat(sbom): Support license detection for SBOM scan (#6072)
* refactor(sbom): use intermediate representation for SPDX (#6310)
* docs(terraform): improve documentation for filtering by inline comments (#6284)
* fix(terraform): fix policy document retrieval (#6276)
* refactor(terraform): remove unused custom error (#6303)
* refactor(sbom): add intermediate representation for BOM (#6240)
* fix(amazon): check only major version of AL to find advisories (#6295)
* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
* fix(nodejs): add name validation for package name from `package.json` (#6268)
* docs: Added install instructions for FreeBSD (#6293)
* feat(image): customer podman host or socket option (#6256)
* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
* fix(license): reorder logic of how python package licenses are acquired (#6220)
* test(terraform): skip cached modules (#6281)
* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
* fix(cloudformation): support of all SSE algorithms for s3 (#6270)
* feat(terraform): Terraform Plan snapshot scanning support (#6176)
* fix: typo function name and comment optimization (#6200)
* fix(java): don't ignore runtime scope for pom.xml files (#6223)
* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
* test(k8s): use test-db for k8s integration tests (#6222)
* fix(terraform): fix root module search (#6160)
* test(parser): squash test data for yarn (#6203)
* fix(terraform): do not re-expand dynamic blocks (#6151)
* docs: update ecosystem page reporting with db app (#6201)
* fix: k8s summary separate infra and user finding results (#6120)
* fix: add context to target finding on k8s table view (#6099)
* fix: Printf format err (#6198)
* refactor: better integration of the parser into Trivy (#6183)
* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
* fix(vex): CSAF filtering should consider relationships (#5923)
* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
* feat(vuln): ignore vulnerabilities by PURL (#6178)
* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
* feat(k8s): rancher rke2 version support (#5988)
* docs: update kbom distribution for scanning (#6019)
* chore: update CODEOWNERS (#6173)
* fix(swift): try to use branch to resolve version (#6168)
* fix(terraform): ensure consistent path handling across OS (#6161)
* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
* fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
* docs: update template path for gitlab-ci tutorial (#6144)
* feat(report): support for filtering licenses and secrets via rego policy files (#6004)
* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
* docs: add SecObserve in CI/CD and reporting (#6139)
* fix(alpine): exclude empty licenses for apk packages (#6130)
* docs: add docs tutorial on custom policies with rego (#6104)
* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
* feat(vuln): show suppressed vulnerabilities in table (#6084)
* docs: rename governance to principles (#6107)
* docs: add governance (#6090)
* feat(java): add dependency location support for `gradle` files (#6083)
* fix(misconf): get `user` from `Config.User` (#6070)
Update to version 0.49.1:
* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
* docs: Fix broken link to 'pronunciation' (#6057)
* fix: fix cursor usage in Redis Clear function (#6056)
* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
* test: fix flaky `TestDockerEngine` (#6054)
* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
* docs: add note about Bun (#6001)
* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
* fix: check returned error before deferring f.Close() (#6007)
* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
* feat(vuln): enable `--vex` for all targets (#5992)
* docs: update link to data sources (#6000)
* feat(java): add support for line numbers for pom.xml files (#5991)
* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
* docs: Update troubleshooting guide with image not found error (#5983)
* style: update band logos (#5968)
* docs: update cosign tutorial and commands, update kyverno policy (#5929)
* docs: update command to scan go binary (#5969)
* fix: handle non-parsable images names (#5965)
* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
* fix(alpine): Add EOL support for alpine 3.19. (#5938)
* feat: allow end-users to adjust K8S client QPS and burst (#5910)
* fix(nodejs): find licenses for packages with slash (#5836)
* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)
* fix: ignore no init containers (#5939)
* docs: Fix documentation of ecosystem (#5940)
* docs(misconf): multiple ignores in comment (#5926)
* fix(secret): find aws secrets ending with a comma or dot (#5921)
* docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)
* feat(vex): add PURL matching for CSAF VEX (#5890)
* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)
* revert(report): don't escape new line characters for sarif format (#5897)
* docs: improve filter by rego (#5402)
* docs: add_scan2html_to_trivy_ecosystem (#5875)
* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
* feat(vex): Add support for CSAF format (#5535)
* feat(python): parse licenses from dist-info folder (#4724)
* feat(nodejs): add yarn alias support (#5818)
* refactor: propagate time through context values (#5858)
* refactor: move PkgRef under PkgIdentifier (#5831)
* fix(cyclonedx): fix unmarshal for licenses (#5828)
* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
Update to version 0.48.1:
* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
* refactor(sbom): disable html escaping for CycloneDX (#5764)
* refactor(purl): use `pub` from `package-url` (#5784)
* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)
* fix(report): use OS information for OS packages purl in `github` template (#5783)
* fix(report): fix error if miconfigs are empty (#5782)
* refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
* fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
* fix(report): update Gitlab template (#5721)
* feat(secret): add support of GitHub fine-grained tokens (#5740)
* fix(misconf): add an image misconf to result (#5731)
* feat(secret): added support of Docker registry credentials (#5720)
Update to version 0.48.0:
* feat: filter k8s core components vuln results (#5713)
* feat(vuln): remove duplicates in Fixed Version (#5596)
* feat(report): output plugin (#4863)
* docs: typo in modules.md (#5712)
* feat: Add flag to configure node-collector image ref (#5710)
* feat(misconf): Add `--misconfig-scanners` option (#5670)
* chore: bump Go to 1.21 (#5662)
* feat: Packagesprops support (#5605)
* docs: update adopters discussion template (#5632)
* docs: terraform tutorial links updated to point to correct loc (#5661)
* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)
* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)
* docs: Update Arch Linux package URL in installation.md (#5619)
* chore: add prefix to image errors (#5601)
* docs(vuln): fix link anchor (#5606)
* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
* fix: k8s friendly error messages kbom non cluster scans (#5594)
* feat: set InstalledFiles for DEB and RPM packages (#5488)
* fix(report): use time.Time for CreatedAt (#5598)
* test: retry containerd initialization (#5597)
* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)
* test: mock VM walker (#5589)
* chore: bump node-collector v0.0.9 (#5591)
* feat(misconf): Add support for `--cf-params` for CFT (#5507)
* feat(flag): replace '--slow' with '--parallel' (#5572)
* fix(report): add escaping for Sarif format (#5568)
* chore: show a deprecation notice for `--scanners config` (#5587)
* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
* test: mock RPM DB (#5567)
* feat: add aliases to '--scanners' (#5558)
* refactor: reintroduce output writer (#5564)
* chore: not load plugins for auto-generating docs (#5569)
* chore: sort supported AWS services (#5570)
* fix: no schedule toleration (#5562)
* fix(cli): set correct `scanners` for `k8s` target (#5561)
* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)
* refactor(misconf): Update refactored dependencies (#5245)
* feat(secret): add built-in rule for JWT tokens (#5480)
* fix: trivy k8s parse ecr image with arn (#5537)
* fix: fail k8s resource scanning (#5529)
* refactor(misconf): don't remove Highlighted in json format (#5531)
* docs(k8s): fix link in kubernetes.md (#5524)
* docs(k8s): fix whitespace in list syntax (#5525)
Update to version 0.47.0:
* docs: add info that license scanning supports file-patterns flag (#5484)
* docs: add Zora integration into Ecosystem session (#5490)
* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
* fix: correct error mismatch causing race in fast walks (#5516)
* docs: k8s vulnerability scanning (#5515)
* docs: remove glad for java datasources (#5508)
* chore: remove unused logger attribute in amazon detector (#5476)
* fix: correct error mismatch causing race in fast walks (#5482)
* fix(server): add licenses to `BlobInfo` message (#5382)
* feat: scan vulns on k8s core component apps (#5418)
* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
* fix(sbom): save digests for package/application when scanning SBOM files (#5432)
* docs: fix the broken link (#5454)
* docs: fix error when installing `PyYAML` for gh pages (#5462)
* fix(java): download java-db once (#5442)
* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
* feat(misconf): Support `--ignore-policy` in config scans (#5359)
* docs(misconf): fix broken table for `Use container image` section (#5425)
* feat(dart): add graph support (#5374)
* refactor: define a new struct for scan targets (#5397)
* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
* docs: remove --scanners none (#5384)
* docs: Update container_image.md #5182 (#5193)
* feat(report): Add `InstalledFiles` field to Package (#4706)
* feat(k8s): add support for vulnerability detection (#5268)
* fix(python): override BOM in `requirements.txt` files (#5375)
* docs: add kbom documentation (#5363)
* test: use maximize build space for VM tests (#5362)
* fix(report): add escaping quotes in misconfig Title for asff template (#5351)
* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
* fix: add config files to FS for post-analyzers (#5333)
* fix: fix MIME warnings after updating to Go 1.20 (#5336)
* build: fix a compile error with Go 1.21 (#5339)
* feat: added `Metadata` into the k8s resource's scan report (#5322)
* chore: update adopters template (#5330)
* fix(sbom): use PURL or Group and Name in case of Java (#5154)
* docs: add buildkite repository to ecosystem page (#5316)
* chore: enable go-critic (#5302)
* close java-db client (#5273)
* fix(report): removes git::http from uri in sarif (#5244)
* Improve the meaning of sentence (#5301)
* add app nil check (#5274)
* typo: in secret.md (#5281)
* docs: add info about `github` format (#5265)
* feat(dotnet): add license support for NuGet (#5217)
* docs: correctly export variables (#5260)
* chore: Add line numbers for lint output (#5247)
* chore(cli): disable java-db flags in server mode (#5263)
* feat(db): allow passing registry options (#5226)
* refactor(purl): use TypeApk from purl (#5232)
* chore: enable more linters (#5228)
* Fix typo on ide.md (#5239)
* refactor: use defined types (#5225)
* fix(purl): skip local Go packages (#5190)
* docs: update info about license scanning in Yarn projects (#5207)
* fix link (#5203)
* fix(purl): handle rust types (#5186)
* chore: auto-close issues (#5177)
* fix(k8s): kbom support addons labels (#5178)
* test: validate SPDX with the JSON schema (#5124)
* chore: bump trivy-kubernetes-latest (#5161)
* docs: add 'Signature Verification' guide (#4731)
* docs: add image-scanner-with-trivy for ecosystem (#5159)
* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
* Update filtering.md (#5131)
* chaging adopters discussion tempalte (#5091)
* docs: add Bitnami (#5078)
* feat(docker): add support for scanning Bitnami components (#5062)
* feat: add support for .trivyignore.yaml (#5070)
* fix(terraform): improve detection of terraform files (#4984)
* feat: filter artifacts on --exclude-owned flag (#5059)
* fix(sbom): cyclonedx advisory should omit `null` value (#5041)
* build: maximize build space for build tests (#5072)
* feat: improve kbom component name (#5058)
* fix(pom): add licenses for pom artifacts (#5071)
* chore: bump Go to `1.20` (#5067)
* feat: PURL matching with qualifiers in OpenVEX (#5061)
* feat(java): add graph support for pom.xml (#4902)
* feat(swift): add vulns for cocoapods (#5037)
* fix: support image pull secret for additional workloads (#5052)
* fix: #5033 Superfluous double quote in html.tpl (#5036)
* docs(repo): update trivy repo usage and example (#5049)
* perf: Optimize Dockerfile for reduced layers and size (#5038)
* feat: scan K8s Resources Kind with --all-namespaces (#5043)
* fix: vulnerability typo (#5044)
* docs: adding a terraform tutorial to the docs (#3708)
* feat(report): add licenses to sarif format (#4866)
* feat(misconf): show the resource name in the report (#4806)
* chore: update alpine base images (#5015)
* feat: add Package.resolved swift files support (#4932)
* feat(nodejs): parse licenses in yarn projects (#4652)
* fix: k8s private registries support (#5021)
* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
* feat(vuln): support last_affected field from osv (#4944)
* feat(server): add version endpoint (#4869)
* feat: k8s private registries support (#4987)
* fix(server): add indirect prop to package (#4974)
* docs: add coverage (#4954)
* feat(c): add location for lock file dependencies. (#4994)
* docs: adding blog post on ec2 (#4813)
* revert 32bit bins (#4977)
Update to version 0.44.1:
* fix(report): return severity colors in table format (#4969)
* build: maximize available disk space for release (#4937)
* test(cli): Fix assertion helptext (#4966)
* test: validate CycloneDX with the JSON schema (#4956)
* fix(server): add licenses to the Result message (#4955)
* fix(aws): resolve endpoint if endpoint is passed (#4925)
* fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)
* use testify instead of gotest.tools (#4946)
* fix(nodejs): do not detect lock file in node_modules as an app (#4949)
* bump go-dep-parser (#4936)
* test(aws): move part of unit tests to integration (#4884)
* docs(cli): update help string for file and dir skipping (#4872)
* docs: update the discussion template (#4928)
Update to version 0.44.0:
* feat(repo): support local repositories (#4890)
* bump go-dep-parser (#4893)
* fix(misconf): add missing fields to proto (#4861)
* fix: remove trivy-db package replacement (#4877)
* chore(test): bump the integration test timeout to 15m (#4880)
* chore: update CODEOWNERS (#4871)
* feat(vuln): support vulnerability status (#4867)
* feat(misconf): Support custom URLs for policy bundle (#4834)
* refactor: replace with sortable packages (#4858)
* docs: correct license scanning sample command (#4855)
* fix(report): close the file (#4842)
* feat(misconf): Add support for independently enabling libraries (#4070)
* feat(secret): add secret config file for cache calculation (#4837)
* Fix a link in gitlab-ci.md (#4850)
* fix(flag): use globalstar to skip directories (#4854)
* fix(license): using common way for splitting licenses (#4434)
* fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
* remove govulndb (#4783)
* fix(java): inherit licenses from parents (#4817)
* refactor: add allowed values for CLI flags (#4800)
* add example regex to allow rules (#4827)
* feat(misconf): Support custom data for rego policies for cloud (#4745)
* docs: correcting the trivy k8s tutorial (#4815)
* feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
* fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
* feat(misconf): enable --policy flag to accept directory and files both (#4777)
* feat(python): add license fields (#4722)
* fix: support trivy k8s-version on k8s sub-command (#4786)
Update to version 0.43.1:
* docs(image): fix the comment on the soft/hard link (#4740)
* check Type when filling pkgs in vulns (#4776)
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
* fix(rocky): add architectures support for advisories (#4691)
* fix: documentation about reseting trivy image (#4733)
* fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
* fix: update Amazon Linux 1 EOL (#4761)
Update to version 0.43.0:
* feat(nodejs): support yarn workspaces (#4664)
* fix(image): pass the secret scanner option to scan the img config (#4735)
* fix: scan job pod it not found on k8s-1.27.x (#4729)
* feat(docker): add support for mTLS authentication when connecting to registry (#4649)
* fix: skip scanning the gpg-pubkey package (#4720)
* Fix http registry oci pull (#4701)
* feat(misconf): Support skipping services (#4686)
* docs: fix supported modes for pubspec.lock files (#4713)
* fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
* clarifying a dir path is required for custom policies (#4716)
* chore: update alpine base images (#4715)
* fix last-history-created (#4697)
* feat: kbom and cyclonedx v1.5 spec support (#4708)
* docs: add information about Aqua (#4590)
* fix: k8s escape resource filename on windows os (#4693)
* feat: cyclondx sbom custom property support (#4688)
* add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
* use group field for jar in cyclonedx (#4674)
* feat(java): capture licenses from pom.xml (#4681)
* feat(helm): make sessionAffinity configurable (#4623)
* fix: Show the correct URL of the secret scanning (#4682)
* document expected file pattern definition format (#4654)
* fix: format arg error (#4642)
* feat(k8s): cyclonedx kbom support (#4557)
* fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
* fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
* fix(debian): update EOL for Debian 12 (#4647)
* chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
* fix(db): change argument order in Exists query for JavaDB (#4595)
* feat(aws): Add support to see successes in results (#4427)
* feat: trivy k8s private registry support (#4567)
* docs: add general coverage page (#3859)
* chore: create SECURITY.md (#4601)
Update to version 0.42.1:
* fix(misconf): deduplicate misconf results (#4588)
* fix(vm): support sector size of 4096 (#4564)
* fix(misconf): terraform relative paths (#4571)
* fix(purl): skip unsupported library type (#4577)
* fix(terraform): recursively detect all Root Modules (#4457)
* fix(vm): support post analyzer for vm command (#4544)
* fix(nodejs): change the type of the devDependencies field (#4560)
* fix(sbom): export empty dependencies in CycloneDX (#4568)
* refactor: add composite fs for post-analyzers (#4556)
* feat: add SBOM analyzer (#4210)
* fix(sbom): update logic for work with files in spdx format (#4513)
* feat: azure workload identity support (#4489)
* feat(ubuntu): add eol date for 18.04 ESM (#4524)
* fix(misconf): Update required extensions for terraformplan (#4523)
* refactor(cyclonedx): add intermediate representation (#4490)
* fix(misconf): Remove debug print while scanning (#4521)
* fix(java): remove duplicates of jar libs (#4515)
* fix(java): fix overwriting project props in pom.xml (#4498)
* docs: Update compilation instructions (#4512)
* fix(nodejs): update logic for parsing pnpm lock files (#4502)
* fix(secret): remove aws-account-id rule (#4494)
* feat(oci): add support for referencing an input image by digest (#4470)
* docs: fixed the format (#4503)
* fix(java): add support of * for exclusions for pom.xml files (#4501)
* feat: adding issue template for documentation (#4453)
* docs: switch glad to ghsa for Go (#4493)
* feat(misconf): Add terraformplan support (#4342)
* feat(debian): add digests for dpkg (#4445)
* feat(k8s): exclude node scanning by node labels (#4459)
* docs: add info about multi-line mode for regexp from custom secret rules (#4159)
* feat(cli): convert JSON reports into a different format (#4452)
* feat(image): add logic to guess base layer for docker-cis scan (#4344)
* fix(cyclonedx): set original names for packages (#4306)
* feat: group subcommands (#4449)
* feat(cli): add retry to cache operations (#4189)
* fix(vuln): report architecture for `apk` packages (#4247)
* refactor: enable cases where return values are not needed in pipeline (#4443)
* fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
* docs(misconf): Update docs for kubernetes file patterns (#4435)
* test: k8s integration tests (#4423)
* feat(redhat): add package digest for rpm (#4410)
* feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167)
* fix: typo (#4431)
* add user instruction to imgconf (#4429)
* fix(k8s): add image sources (#4411)
* docs(scanning): Add versioning banner (#4415)
* feat(cli): add mage command to update golden integration test files (#4380)
* feat: node-collector custom namespace support (#4407)
* refactor(sbom): use multiline json for spdx-json format (#4404)
* fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
* refactor: code-optimization (#4214)
* feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
* test: skip wrong update of test golden files (#4379)
* refactor: don't return error for package.json without version/name (#4377)
* docs: cmd error (#4376)
* test(cli): add test for config file and env combination (#2666)
* fix(report): set a correct file location for license scan output (#4326)
* chore(alpine): Update Alpine to 3.18 (#4351)
* fix(alpine): add EOL date for Alpine 3.18 (#4308)
* feat: allow root break for mapfs (#4094)
* docs(misconf): Remove examples.md (#4256)
* fix(ubuntu): update eol dates for Ubuntu (#4258)
* feat(alpine): add digests for apk packages (#4168)
* chore: add discussion templates (#4190)
* fix(terraform): Support tfvars (#4123)
* chore: separate docs:generate (#4242)
* refactor: define vulnerability scanner interfaces (#4117)
* feat: unified k8s scan resources (#4188)
* chore: trivy bin ignore (#4212)
* feat(image): enforce image platform (#4083)
* fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
* chore: install.sh support for windows (#4155)
* docs: moving skipping files out of others (#4154)
Update to version 0.41.0:
* fix(spdx): add workaround for no src packages (#4118)
* test(golang): rename broken go.mod (#4129)
* feat(sbom): add supplier field (#4122)
* test(misconf): skip downloading of policies for tests #4126
* refactor: use debug message for post-analyze errors (#4037)
* feat(sbom): add VEX support (#4053)
* feat(sbom): add primary package purpose field for SPDX (#4119)
* fix(k8s): fix quiet flag (#4120)
* fix(python): parse of pip extras (#4103)
* feat(java): use full path for nested jars (#3992)
* feat(license): add new flag for classifier confidence level (#4073)
* feat: config and fs compliance support (#4097)
* feat(spdx): add support for SPDX 2.3 (#4058)
* fix: k8s all-namespaces support (#4096)
* perf(misconf): replace with post-analyzers (#4090)
* fix(helm): update networking API version detection (#4106)
* feat(image): custom docker host option (#3599)
* style: debug flag is incorrect and needs extra - (#4087)
* docs(vuln): Document inline vulnerability filtering comments (#4024)
* feat(fs): customize error callback during fs walk (#4038)
* fix(ubuntu): skip copyright files from subfolders (#4076)
* docs: restructure scanners (#3977)
* fix: fix `file does not exist` error for post-analyzers (#4061)
Update to version 0.40.0:
* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)
* fix: return insecure option to download javadb (#4064)
* fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
* fix(k8s): current context title (#4055)
* fix(k8s): quit support on k8s progress bar (#4021)
* chore: add a note about Dockerfile.canary (#4050)
* fix(vuln): report architecture for debian packages (#4032)
* feat: add support for Chainguard's commercial distro (#3641)
* fix(vuln): fix error message for remote scanners (#4031)
* feat(report): add image metadata to SARIF (#4020)
* docs: fix broken cache link on Installation page (#3999)
* fix: lock downloading policies and database (#4017)
* fix: avoid concurrent access to the global map (#4014)
* feat(rust): add Cargo.lock v3 support (#4012)
* feat: auth support oci download server subcommand (#4008)
* chore: install.sh support for armv7 (#3985)
Update to version 0.39.1:
* fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
* fix(sbom): fix infinite loop for cyclonedx (#3998)
* fix: use warning for errors from enrichment files for post-analyzers (#3972)
* fix(helm): added annotation to psp configurable from values (#3893)
* fix(secret): update built-in rule `tests` (#3855)
* test: rewrite scripts in Go (#3968)
* docs(cli): Improve glob documentation (#3945)
Update to version 0.39.0:
* docs(cli): added makefile and go file to create docs (#3930)
* feat(cyclonedx): support dependency graph (#3177)
* feat(server): redis with public TLS certs support (#3783)
* feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866)
* chore: replace make with mage (#3932)
* fix(sbom): add checksum to files (#3888)
* chore: remove unused mount volumes (#3927)
* feat: add auth support for downloading OCI artifacts (#3915)
* refactor(purl): use epoch in qualifier (#3913)
* feat(image): add registry options (#3906)
* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
* feat(php): add support for location, licenses and graph for composer.lock files (#3873)
* feat(image): discover SBOM in OCI referrers (#3768)
* docs: change cache-dir key in config file (#3897)
* fix(sbom): use release and epoch for SPDX package version (#3896)
* docs: Update incorrect comment for skip-update flag (#3878)
* refactor(misconf): simplify policy filesystem (#3875)
* feat(nodejs): parse package.json alongside yarn.lock (#3757)
* fix(spdx): add PkgDownloadLocation field (#3879)
* chore(amazon): update EOL (#3876)
* fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
* feat(amazon): add al2023 support (#3854)
* docs(misconf): Add information about selectors (#3703)
* docs(cli): update CLI docs with cobra (#3815)
* feat: k8s parallel processing (#3693)
* docs: add DefectDojo in the Security Management section (#3871)
* refactor: add pipeline (#3868)
* feat(cli): add javadb metadata to version info (#3835)
* feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
* feat: add node toleration option (#3823)
* fix: allow mapfs to open dirs (#3867)
* fix(report): update uri only for os class targets (#3846)
* feat(nodejs): Add v3 npm lock file support (#3826)
* feat(nodejs): parse package.json files alongside package-lock.json (#2916)
* docs(misconf): Fix links to built in policies (#3841)
Update to version 0.38.3:
from 1.86.1 to 1.89.1
* fix(java): skip empty files for jar post analyzer
* fix(docker): build healthcheck command for line without
/bin/sh prefix
* refactor(license): use goyacc for license parser (#3824)
23.0.0-rc.1+incompatible to 23.0.1+incompatible
* fix: populate timeout context to node-collector
* fix: exclude node collector scanning (#3771)
* fix: display correct flag in error message when skipping
java db update #3808
* fix: disable jar analyzer for scanners other than vuln (#3810)
* fix(sbom): fix incompliant license format for spdx (#3335)
* fix(java): the project props take precedence over the
parent's props (#3320)
* docs: add canary build info to README.md (#3799)
* docs: adding link to gh token generation (#3784)
* docs: changing docs in accordance with #3460 (#3787)
Update to version 0.38.2:
* fix(license): disable jar analyzer for licence scan only (#3780)
* bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781)
* fix: skip checking dirs for required post-analyzers (#3773)
* docs: add information about plugin format (#3749)
* fix(sbom): add trivy version to spdx creators tool field (#3756)
Update to version 0.38.1:
* feat(misconf): Add support to show policy bundle version (#3743)
* fix(python): fix error with optional dependencies in pyproject.toml (#3741)
* add id for package.json files (#3750)
Update to version 0.38.0:
* fix(cli): pass integer to exit-on-eol (#3716)
* feat: add kubernetes pss compliance (#3498)
* feat: Adding --module-dir and --enable-modules (#3677)
* feat: add special IDs for filtering secrets (#3702)
* docs(misconf): Add guide on input schema (#3692)
* feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
* feat: docker multi credential support (#3631)
* feat: summarize vulnerabilities in compliance reports (#3651)
* feat(python): parse pyproject.toml alongside poetry.lock (#3695)
* feat(python): add dependency tree for poetry lock file (#3665)
* fix(cyclonedx): incompliant affect ref (#3679)
* chore(helm): update skip-db-update environment variable (#3657)
* fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
* fix(sbom): export empty dependencies in CycloneDX (#3664)
* docs: java-db air-gap doc tweaks (#3561)
* feat(go): license support (#3683)
* feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
* fix(k8s): k8s label size (#3678)
* fix(cyclondx): fix array empty value, null to [] (#3676)
* refactor: rewrite gomod analyzer as post-analyzer (#3674)
* feat: config outdated-api result filtered by k8s version (#3578)
* fix: Update to Alpine 3.17.2 (#3655)
* feat: add support for virtual files (#3654)
* feat: add post-analyzers (#3640)
* feat(python): add dependency locations for Pipfile.lock (#3614)
* fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
* fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
* feat(cli): add command completion (#3061)
* docs(misconf): update dockerfile link (#3627)
* feat(flag): add exit-on-eosl option (#3423)
* fix(cli): make java db repository configurable (#3595)
* chore: bump trivy-kubernetes (#3613)
Patchnames
openSUSE-2024-268
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\ntrivy was updated to fix the following issues:\n\nUpdate to version 0.54.1:\n\n* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)\n* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)\n* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)\n* docs: update ecosystem page reporting with plopsec.com app (#7262)\n* feat(vex): retrieve VEX attestations from OCI registries (#7249)\n* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)\n* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)\n* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)\n* chore: show VEX notice for OSS maintainers in CI environments (#7246)\n* feat(vuln): add `--pkg-relationships` (#7237)\n* docs: show VEX cli pages + update config file page for VEX flags (#7244)\n* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)\n* feat(vex): VEX Repository support (#7206)\n* fix(secret): skip regular strings contain secret patterns (#7182)\n* feat: share build-in rules (#7207)\n* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)\n* fix(cli): error on missing config file (#7154)\n* fix(secret): update length of `hugging-face-access-token` (#7216)\n* feat(sbom): add vulnerability support for SPDX formats (#7213)\n* fix(secret): trim excessively long lines (#7192)\n* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)\n* fix(server): pass license categories to options (#7203)\n* feat(mariner): Add support for Azure Linux (#7186)\n* docs: updates config file (#7188)\n* refactor(fs): remove unused field for CompositeFS (#7195)\n* fix: add missing platform and type to spec (#7149)\n* feat(misconf): enabled China configuration for ACRs (#7156)\n* fix: close file when failed to open gzip (#7164)\n* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)\n* docs(misconf): add info about limitations for terraform plan json (#7143)\n* chore: add VEX for Trivy images (#7140)\n* chore: add VEX document and generator for Trivy (#7128)\n* fix(misconf): do not evaluate TF when a load error occurs (#7109)\n* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)\n* refactor(secret): move warning about file size after `IsBinary` check (#7123)\n* feat: add openSUSE tumbleweed detection and scanning (#6965)\n* test: add missing advisory details for integration tests database (#7122)\n* fix: Add dependencyManagement exclusions to the child exclusions (#6969)\n* fix: ignore nodes when listing permission is not allowed (#7107)\n* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)\n* refactor(secret): add warning about large files (#7085)\n* feat(nodejs): add license parser to pnpm analyser (#7036)\n* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)\n* feat: add `log.FilePath()` function for logger (#7080)\n* chore: bump golangci-lint from v1.58 to v1.59 (#7077)\n* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)\n* refactor: pass DB dir to trivy-db (#7057)\n* docs: navigate to the release highlights and summary (#7072)\n\nUpdate to version 0.53.0 (bsc#1227022, CVE-2024-6257):\n\n* feat(conda): add licenses support for `environment.yml` files (#6953)\n* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)\n* feat: add memory cache backend (#7048)\n* fix(sbom): use package UIDs for uniqueness (#7042)\n* feat(php): add installed.json file support (#4865)\n* docs: \u2728 Updated ecosystem docs with reference to new community app (#7041)\n* fix: use embedded when command path not found (#7037)\n* refactor: use google/wire for cache (#7024)\n* fix(cli): show info message only when --scanners is available (#7032)\n* chore: enable float-compare rule from testifylint (#6967)\n* docs: Add sudo on commands, chmod before mv on install docs (#7009)\n* fix(plugin): respect `--insecure` (#7022)\n* feat(k8s)!: node-collector dynamic commands support (#6861)\n* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)\n* feat!: add clean subcommand (#6993)\n* chore: use `!` for breaking changes (#6994)\n* feat(aws)!: Remove aws subcommand (#6995)\n* refactor: replace global cache directory with parameter passing (#6986)\n* fix(sbom): use `purl` for `bitnami` pkg names (#6982)\n* chore: bump Go toolchain version (#6984)\n* refactor: unify cache implementations (#6977)\n* docs: non-packaged and sbom clarifications (#6975)\n* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)\n* docs: delete unknown URL (#6972)\n* refactor: use version-specific URLs for documentation references (#6966)\n* refactor: delete db mock (#6940)\n* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)\n* feat: Add local ImageID to SARIF metadata (#6522)\n* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)\n* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)\n* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)\n* fix(purl): add missed os types (#6955)\n* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)\n* fix(c): don\u0027t skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)\n* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)\n* fix(misconf): handle source prefix to ignore (#6945)\n* fix(misconf): fix parsing of engine links and frameworks (#6937)\n* feat(misconf): support of selectors for all providers for Rego (#6905)\n* fix(license): return license separation using separators `,`, `or`, etc. (#6916)\n* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)\n* BREAKING(misconf): flatten recursive types (#6862)\n* test: bump docker API to 1.45 (#6914)\n* feat(sbom): migrate to `CycloneDX v1.6` (#6903)\n* feat(image): Set User-Agent header for Trivy container registry requests (#6868)\n* fix(debian): take installed files from the origin layer (#6849)\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)\n* feat(misconf): API Gateway V1 support for CloudFormation (#6874)\n* feat(plugin): add support for nested archives (#6845)\n* fix(sbom): don\u0027t overwrite `srcEpoch` when decoding SBOM files (#6866)\n* fix(secret): `Asymmetric Private Key` shouldn\u0027t start with space (#6867)\n* chore: auto label discussions (#5259)\n* docs: explain how VEX is applied (#6864)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n* feat(dart): use first version of constraint for dependencies using SDK version (#6239)\n* fix(misconf): parsing numbers without fraction as int (#6834)\n* fix(misconf): fix caching of modules in subdirectories (#6814)\n* feat(misconf): add metadata to Cloud schema (#6831)\n* test: replace embedded Git repository with dynamically created repository (#6824)\n\nUpdate to version 0.52.2:\n\n* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)\n* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)\n\nUpdate to version 0.52.1:\n\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)\n* fix(sbom): don\u0027t overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)\n* docs: explain how VEX is applied (#6864)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n\nUpdate to version 0.52.0 (bsc#1224781, CVE-2024-35192):\n\n* fix(plugin): initialize logger (#6836)\n* fix(cli): always output fatal errors to stderr (#6827)\n* fix: close testfile (#6830)\n* docs(julia): add scanner table (#6826)\n* feat(python): add license support for `requirement.txt` files (#6782)\n* docs: add more workarounds for out-of-disk (#6821)\n* chore: improve error message for image not found (#6822)\n* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)\n* fix: clean up golangci lint configuration (#6797)\n* fix(python): add package name and version validation for `requirements.txt` files. (#6804)\n* feat(vex): improve relationship support in CSAF VEX (#6735)\n* chore(alpine): add eol date for Alpine 3.20 (#6800)\n* docs(plugin): add missed `plugin` section (#6799)\n* fix: include packages unless it is not needed (#6765)\n* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)\n* chore: replace interface{} with any (#6751)\n* fix: close settings.xml (#6768)\n* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)\n* build: use main package instead of main.go (#6766)\n* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)\n* docs: add info on adding compliance checks (#6275)\n* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)\n* feat(nodejs): add v9 pnpm lock file support (#6617)\n* feat(vex): support non-root components for products in OpenVEX (#6728)\n* feat(python): add line number support for `requirement.txt` files (#6729)\n* chore: respect timeout value in .golangci.yaml (#6724)\n* fix: node-collector high and critical cves (#6707)\n* Merge pull request from GHSA-xcq4-m2r3-cmrj\n* chore: auto-bump golang patch versions (#6711)\n* fix(misconf): don\u0027t shift ignore rule related to code (#6708)\n* feat(plugin): specify plugin version (#6683)\n* chore: enforce golangci-lint version (#6700)\n* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)\n* fix(go): add only non-empty root modules for `gobinaries` (#6710)\n* refactor: unify package addition and vulnerability scanning (#6579)\n* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)\n* feat(misconf): Add support for deprecating a check (#6664)\n* feat: Add Julia language analyzer support (#5635)\n* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)\n* fix(report): hide empty tables if all vulns has been filtered (#6352)\n* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)\n* feat: add support for plugin index (#6674)\n* docs: add support table for client server mode (#6498)\n* fix: close APKINDEX archive file (#6672)\n* fix(misconf): skip Rego errors with a nil location (#6666)\n* refactor: move artifact types under artifact package to avoid import cycles (#6652)\n* refactor(misconf): remove extrafs (#6656)\n* refactor: re-define module structs for serialization (#6655)\n* chore(misconf): Clean up iac logger (#6642)\n* feat(misconf): support symlinks inside of Helm archives (#6621)\n* feat(misconf): add Terraform \u0027removed\u0027 block to schema (#6640)\n* refactor: unify Library and Package structs (#6633)\n* fix: use of specified context to obtain cluster name (#6645)\n* perf(misconf): parse rego input once (#6615)\n* fix(misconf): skip Rego errors with a nil location (#6638)\n* docs: link warning to both timeout config options (#6620)\n* docs: fix usage of image-config-scanners (#6635)\n\nUpdate to version 0.51.1:\n\n* fix(fs): handle default skip dirs properly (#6628)\n* fix(misconf): load cached tf modules (#6607)\n* fix(misconf): do not use semver for parsing tf module versions (#6614)\n* refactor: move setting scanners when using compliance reports to flag parsing (#6619)\n* feat: introduce package UIDs for improved vulnerability mapping (#6583)\n* perf(misconf): Improve cause performance (#6586)\n* docs: trivy-k8s new experiance remove un-used section (#6608)\n* docs: remove mention of GitLab Gold because it doesn\u0027t exist anymore (#6609)\n* feat(misconf): Use updated terminology for misconfiguration checks (#6476)\n* docs: use `generic` link from `trivy-repo` (#6606)\n* docs: update trivy k8s with new experience (#6465)\n* feat: support `--skip-images` scanning flag (#6334)\n* BREAKING: add support for k8s `disable-node-collector` flag (#6311)\n* feat: add ubuntu 23.10 and 24.04 support (#6573)\n* docs(go): add stdlib (#6580)\n* feat(go): parse main mod version from build info settings (#6564)\n* feat: respect custom exit code from plugin (#6584)\n* docs: add asdf and mise installation method (#6063)\n* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)\n* feat: add support `environment.yaml` files (#6569)\n* fix: close plugin.yaml (#6577)\n* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)\n* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)\n* feat(go): add main module (#6574)\n* feat: add relationships (#6563)\n* docs: mention `--show-suppressed` is available in table (#6571)\n* chore: fix sqlite to support loong64 (#6511)\n* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)\n* docs: update info about config file (#6547)\n* docs: remove RELEASE_VERSION from trivy.repo (#6546)\n* fix(sbom): change error to warning for multiple OSes (#6541)\n* fix(vuln): skip empty versions (#6542)\n* feat(c): add license support for conan lock files (#6329)\n* fix(terraform): Attribute and fileset fixes (#6544)\n* refactor: change warning if no vulnerability details are found (#6230)\n* refactor(misconf): improve error handling in the Rego scanner (#6527)\n* feat(go): parse main module of go binary files (#6530)\n* refactor(misconf): simplify the retrieval of module annotations (#6528)\n* docs(nodejs): add info about supported versions of pnpm lock files (#6510)\n* feat(misconf): loading embedded checks as a fallback (#6502)\n* fix(misconf): Parse JSON k8s manifests properly (#6490)\n* refactor: remove parallel walk (#5180)\n* fix: close pom.xml (#6507)\n* fix(secret): convert severity for custom rules (#6500)\n* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)\n* fix: typo (#6283)\n* docs(k8s,image): fix command-line syntax issues (#6403)\n* fix(misconf): avoid panic if the scheme is not valid (#6496)\n* feat(image): goversion as stdlib (#6277)\n* fix: add color for error inside of log message (#6493)\n* docs: fix links to OPA docs (#6480)\n* refactor: replace zap with slog (#6466)\n* docs: update links to IaC schemas (#6477)\n* chore: bump Go to 1.22 (#6075)\n* refactor(terraform): sync funcs with Terraform (#6415)\n* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)\n* fix(terraform): eval submodules (#6411)\n* refactor(terraform): remove unused options (#6446)\n* refactor(terraform): remove unused file (#6445)\n* fix(misconf): Escape template value correctly (#6292)\n* feat(misconf): add support for wildcard ignores (#6414)\n* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)\n* refactor(terraform): remove metrics collection (#6444)\n* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)\n* fix(db): check schema version for image name only (#6410)\n* feat(misconf): Support private registries for misconf check bundle (#6327)\n* feat(cloudformation): inline ignore support for YAML templates (#6358)\n* feat(terraform): ignore resources by nested attributes (#6302)\n* perf(helm): load in-memory files (#6383)\n* feat(aws): apply filter options to result (#6367)\n* feat(aws): quiet flag support (#6331)\n* fix(misconf): clear location URI for SARIF (#6405)\n* test(cloudformation): add CF tests (#6315)\n* fix(cloudformation): infer type after resolving a function (#6406)\n* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)\n* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)\n* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)\n* fix: use `0600` perms for tmp files for post analyzers (#6386)\n* fix(helm): scan the subcharts once (#6382)\n* docs(terraform): add file patterns for Terraform Plan (#6393)\n* fix(terraform): \u0441hecking SSE encryption algorithm validity (#6341)\n* fix(java): parse modules from `pom.xml` files once (#6312)\n* fix(server): add Locations for `Packages` in client/server mode (#6366)\n* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)\n* fix(report): don\u0027t include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)\n* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)\n* feat(java): add support licenses and graph for gradle lock files (#6140)\n* feat(vex): consider root component for relationships (#6313)\n* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)\n* chore: updates wazero to v1.7.0 (#6301)\n* feat(sbom): Support license detection for SBOM scan (#6072)\n* refactor(sbom): use intermediate representation for SPDX (#6310)\n* docs(terraform): improve documentation for filtering by inline comments (#6284)\n* fix(terraform): fix policy document retrieval (#6276)\n* refactor(terraform): remove unused custom error (#6303)\n* refactor(sbom): add intermediate representation for BOM (#6240)\n* fix(amazon): check only major version of AL to find advisories (#6295)\n* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)\n* fix(nodejs): add name validation for package name from `package.json` (#6268)\n* docs: Added install instructions for FreeBSD (#6293)\n* feat(image): customer podman host or socket option (#6256)\n* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)\n* fix(license): reorder logic of how python package licenses are acquired (#6220)\n* test(terraform): skip cached modules (#6281)\n* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)\n* fix(cloudformation): support of all SSE algorithms for s3 (#6270)\n* feat(terraform): Terraform Plan snapshot scanning support (#6176)\n* fix: typo function name and comment optimization (#6200)\n* fix(java): don\u0027t ignore runtime scope for pom.xml files (#6223)\n* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)\n* test(k8s): use test-db for k8s integration tests (#6222)\n* fix(terraform): fix root module search (#6160)\n* test(parser): squash test data for yarn (#6203)\n* fix(terraform): do not re-expand dynamic blocks (#6151)\n* docs: update ecosystem page reporting with db app (#6201)\n* fix: k8s summary separate infra and user finding results (#6120)\n* fix: add context to target finding on k8s table view (#6099)\n* fix: Printf format err (#6198)\n* refactor: better integration of the parser into Trivy (#6183)\n* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)\n* fix(vex): CSAF filtering should consider relationships (#5923)\n* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)\n* feat(vuln): ignore vulnerabilities by PURL (#6178)\n* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)\n* feat(k8s): rancher rke2 version support (#5988)\n* docs: update kbom distribution for scanning (#6019)\n* chore: update CODEOWNERS (#6173)\n* fix(swift): try to use branch to resolve version (#6168)\n* fix(terraform): ensure consistent path handling across OS (#6161)\n* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)\n* fix(sbom): skip executable file analysis if Rekor isn\u0027t a specified SBOM source (#6163)\n* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)\n* docs: update template path for gitlab-ci tutorial (#6144)\n* feat(report): support for filtering licenses and secrets via rego policy files (#6004)\n* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)\n* docs: add SecObserve in CI/CD and reporting (#6139)\n* fix(alpine): exclude empty licenses for apk packages (#6130)\n* docs: add docs tutorial on custom policies with rego (#6104)\n* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)\n* feat(vuln): show suppressed vulnerabilities in table (#6084)\n* docs: rename governance to principles (#6107)\n* docs: add governance (#6090)\n* feat(java): add dependency location support for `gradle` files (#6083)\n* fix(misconf): get `user` from `Config.User` (#6070)\n\nUpdate to version 0.49.1:\n\n* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)\n* docs: Fix broken link to \u0027pronunciation\u0027 (#6057)\n* fix: fix cursor usage in Redis Clear function (#6056)\n* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)\n* test: fix flaky `TestDockerEngine` (#6054)\n* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)\n* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)\n* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)\n* docs: add note about Bun (#6001)\n* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)\n* fix: check returned error before deferring f.Close() (#6007)\n* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)\n* feat(vuln): enable `--vex` for all targets (#5992)\n* docs: update link to data sources (#6000)\n* feat(java): add support for line numbers for pom.xml files (#5991)\n* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)\n* docs: Update troubleshooting guide with image not found error (#5983)\n* style: update band logos (#5968)\n* docs: update cosign tutorial and commands, update kyverno policy (#5929)\n* docs: update command to scan go binary (#5969)\n* fix: handle non-parsable images names (#5965)\n* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)\n* fix(alpine): Add EOL support for alpine 3.19. (#5938)\n* feat: allow end-users to adjust K8S client QPS and burst (#5910)\n* fix(nodejs): find licenses for packages with slash (#5836)\n* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)\n* fix: ignore no init containers (#5939)\n* docs: Fix documentation of ecosystem (#5940)\n* docs(misconf): multiple ignores in comment (#5926)\n* fix(secret): find aws secrets ending with a comma or dot (#5921)\n* docs: \u2728 Updated ecosystem docs with reference to new community app (#5918)\n* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)\n* feat(vex): add PURL matching for CSAF VEX (#5890)\n* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)\n* revert(report): don\u0027t escape new line characters for sarif format (#5897)\n* docs: improve filter by rego (#5402)\n* docs: add_scan2html_to_trivy_ecosystem (#5875)\n* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)\n* feat(vex): Add support for CSAF format (#5535)\n* feat(python): parse licenses from dist-info folder (#4724)\n* feat(nodejs): add yarn alias support (#5818)\n* refactor: propagate time through context values (#5858)\n* refactor: move PkgRef under PkgIdentifier (#5831)\n* fix(cyclonedx): fix unmarshal for licenses (#5828)\n* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)\n\nUpdate to version 0.48.1:\n\n* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)\n* refactor(sbom): disable html escaping for CycloneDX (#5764)\n* refactor(purl): use `pub` from `package-url` (#5784)\n* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)\n* fix(report): use OS information for OS packages purl in `github` template (#5783)\n* fix(report): fix error if miconfigs are empty (#5782)\n* refactor(vuln): don\u0027t remove VendorSeverity in JSON report (#5761)\n* fix(report): don\u0027t mark misconfig passed tests as failed in junit.tpl (#5767)\n* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)\n* fix(report): update Gitlab template (#5721)\n* feat(secret): add support of GitHub fine-grained tokens (#5740)\n* fix(misconf): add an image misconf to result (#5731)\n* feat(secret): added support of Docker registry credentials (#5720)\n\nUpdate to version 0.48.0:\n\n* feat: filter k8s core components vuln results (#5713)\n* feat(vuln): remove duplicates in Fixed Version (#5596)\n* feat(report): output plugin (#4863)\n* docs: typo in modules.md (#5712)\n* feat: Add flag to configure node-collector image ref (#5710)\n* feat(misconf): Add `--misconfig-scanners` option (#5670)\n* chore: bump Go to 1.21 (#5662)\n* feat: Packagesprops support (#5605)\n* docs: update adopters discussion template (#5632)\n* docs: terraform tutorial links updated to point to correct loc (#5661)\n* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)\n* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)\n* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)\n* docs: Update Arch Linux package URL in installation.md (#5619)\n* chore: add prefix to image errors (#5601)\n* docs(vuln): fix link anchor (#5606)\n* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)\n* fix: k8s friendly error messages kbom non cluster scans (#5594)\n* feat: set InstalledFiles for DEB and RPM packages (#5488)\n* fix(report): use time.Time for CreatedAt (#5598)\n* test: retry containerd initialization (#5597)\n* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)\n* test: mock VM walker (#5589)\n* chore: bump node-collector v0.0.9 (#5591)\n* feat(misconf): Add support for `--cf-params` for CFT (#5507)\n* feat(flag): replace \u0027--slow\u0027 with \u0027--parallel\u0027 (#5572)\n* fix(report): add escaping for Sarif format (#5568)\n* chore: show a deprecation notice for `--scanners config` (#5587)\n* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)\n* test: mock RPM DB (#5567)\n* feat: add aliases to \u0027--scanners\u0027 (#5558)\n* refactor: reintroduce output writer (#5564)\n* chore: not load plugins for auto-generating docs (#5569)\n* chore: sort supported AWS services (#5570)\n* fix: no schedule toleration (#5562)\n* fix(cli): set correct `scanners` for `k8s` target (#5561)\n* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)\n* refactor(misconf): Update refactored dependencies (#5245)\n* feat(secret): add built-in rule for JWT tokens (#5480)\n* fix: trivy k8s parse ecr image with arn (#5537)\n* fix: fail k8s resource scanning (#5529)\n* refactor(misconf): don\u0027t remove Highlighted in json format (#5531)\n* docs(k8s): fix link in kubernetes.md (#5524)\n* docs(k8s): fix whitespace in list syntax (#5525)\n\nUpdate to version 0.47.0:\n\n* docs: add info that license scanning supports file-patterns flag (#5484)\n* docs: add Zora integration into Ecosystem session (#5490)\n* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)\n* fix: correct error mismatch causing race in fast walks (#5516)\n* docs: k8s vulnerability scanning (#5515)\n* docs: remove glad for java datasources (#5508)\n* chore: remove unused logger attribute in amazon detector (#5476)\n* fix: correct error mismatch causing race in fast walks (#5482)\n* fix(server): add licenses to `BlobInfo` message (#5382)\n* feat: scan vulns on k8s core component apps (#5418)\n* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)\n* fix(sbom): save digests for package/application when scanning SBOM files (#5432)\n* docs: fix the broken link (#5454)\n* docs: fix error when installing `PyYAML` for gh pages (#5462)\n* fix(java): download java-db once (#5442)\n* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)\n* feat(misconf): Support `--ignore-policy` in config scans (#5359)\n* docs(misconf): fix broken table for `Use container image` section (#5425)\n* feat(dart): add graph support (#5374)\n* refactor: define a new struct for scan targets (#5397)\n* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)\n* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)\n* docs: remove --scanners none (#5384)\n* docs: Update container_image.md #5182 (#5193)\n* feat(report): Add `InstalledFiles` field to Package (#4706)\n* feat(k8s): add support for vulnerability detection (#5268)\n* fix(python): override BOM in `requirements.txt` files (#5375)\n* docs: add kbom documentation (#5363)\n* test: use maximize build space for VM tests (#5362)\n* fix(report): add escaping quotes in misconfig Title for asff template (#5351)\n* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)\n* fix: add config files to FS for post-analyzers (#5333)\n* fix: fix MIME warnings after updating to Go 1.20 (#5336)\n* build: fix a compile error with Go 1.21 (#5339)\n* feat: added `Metadata` into the k8s resource\u0027s scan report (#5322)\n* chore: update adopters template (#5330)\n* fix(sbom): use PURL or Group and Name in case of Java (#5154)\n* docs: add buildkite repository to ecosystem page (#5316)\n* chore: enable go-critic (#5302)\n* close java-db client (#5273)\n* fix(report): removes git::http from uri in sarif (#5244)\n* Improve the meaning of sentence (#5301)\n* add app nil check (#5274)\n* typo: in secret.md (#5281)\n* docs: add info about `github` format (#5265)\n* feat(dotnet): add license support for NuGet (#5217)\n* docs: correctly export variables (#5260)\n* chore: Add line numbers for lint output (#5247)\n* chore(cli): disable java-db flags in server mode (#5263)\n* feat(db): allow passing registry options (#5226)\n* refactor(purl): use TypeApk from purl (#5232)\n* chore: enable more linters (#5228)\n* Fix typo on ide.md (#5239)\n* refactor: use defined types (#5225)\n* fix(purl): skip local Go packages (#5190)\n* docs: update info about license scanning in Yarn projects (#5207)\n* fix link (#5203)\n* fix(purl): handle rust types (#5186)\n* chore: auto-close issues (#5177)\n* fix(k8s): kbom support addons labels (#5178)\n* test: validate SPDX with the JSON schema (#5124)\n* chore: bump trivy-kubernetes-latest (#5161)\n* docs: add \u0027Signature Verification\u0027 guide (#4731)\n* docs: add image-scanner-with-trivy for ecosystem (#5159)\n* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)\n* Update filtering.md (#5131)\n* chaging adopters discussion tempalte (#5091)\n* docs: add Bitnami (#5078)\n* feat(docker): add support for scanning Bitnami components (#5062)\n* feat: add support for .trivyignore.yaml (#5070)\n* fix(terraform): improve detection of terraform files (#4984)\n* feat: filter artifacts on --exclude-owned flag (#5059)\n* fix(sbom): cyclonedx advisory should omit `null` value (#5041)\n* build: maximize build space for build tests (#5072)\n* feat: improve kbom component name (#5058)\n* fix(pom): add licenses for pom artifacts (#5071)\n* chore: bump Go to `1.20` (#5067)\n* feat: PURL matching with qualifiers in OpenVEX (#5061)\n* feat(java): add graph support for pom.xml (#4902)\n* feat(swift): add vulns for cocoapods (#5037)\n* fix: support image pull secret for additional workloads (#5052)\n* fix: #5033 Superfluous double quote in html.tpl (#5036)\n* docs(repo): update trivy repo usage and example (#5049)\n* perf: Optimize Dockerfile for reduced layers and size (#5038)\n* feat: scan K8s Resources Kind with --all-namespaces (#5043)\n* fix: vulnerability typo (#5044)\n* docs: adding a terraform tutorial to the docs (#3708)\n* feat(report): add licenses to sarif format (#4866)\n* feat(misconf): show the resource name in the report (#4806)\n* chore: update alpine base images (#5015)\n* feat: add Package.resolved swift files support (#4932)\n* feat(nodejs): parse licenses in yarn projects (#4652)\n* fix: k8s private registries support (#5021)\n* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)\n* feat(vuln): support last_affected field from osv (#4944)\n* feat(server): add version endpoint (#4869)\n* feat: k8s private registries support (#4987)\n* fix(server): add indirect prop to package (#4974)\n* docs: add coverage (#4954)\n* feat(c): add location for lock file dependencies. (#4994)\n* docs: adding blog post on ec2 (#4813)\n* revert 32bit bins (#4977)\n\nUpdate to version 0.44.1:\n\n* fix(report): return severity colors in table format (#4969)\n* build: maximize available disk space for release (#4937)\n* test(cli): Fix assertion helptext (#4966)\n* test: validate CycloneDX with the JSON schema (#4956)\n* fix(server): add licenses to the Result message (#4955)\n* fix(aws): resolve endpoint if endpoint is passed (#4925)\n* fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)\n* use testify instead of gotest.tools (#4946)\n* fix(nodejs): do not detect lock file in node_modules as an app (#4949)\n* bump go-dep-parser (#4936)\n* test(aws): move part of unit tests to integration (#4884)\n* docs(cli): update help string for file and dir skipping (#4872)\n* docs: update the discussion template (#4928)\n\n Update to version 0.44.0:\n\n* feat(repo): support local repositories (#4890)\n* bump go-dep-parser (#4893)\n* fix(misconf): add missing fields to proto (#4861)\n* fix: remove trivy-db package replacement (#4877)\n* chore(test): bump the integration test timeout to 15m (#4880)\n* chore: update CODEOWNERS (#4871)\n* feat(vuln): support vulnerability status (#4867)\n* feat(misconf): Support custom URLs for policy bundle (#4834)\n* refactor: replace with sortable packages (#4858)\n* docs: correct license scanning sample command (#4855)\n* fix(report): close the file (#4842)\n* feat(misconf): Add support for independently enabling libraries (#4070)\n* feat(secret): add secret config file for cache calculation (#4837)\n* Fix a link in gitlab-ci.md (#4850)\n* fix(flag): use globalstar to skip directories (#4854)\n* fix(license): using common way for splitting licenses (#4434)\n* fix(containerd): Use img platform in exporter instead of strict host platform (#4477)\n* remove govulndb (#4783)\n* fix(java): inherit licenses from parents (#4817)\n* refactor: add allowed values for CLI flags (#4800)\n* add example regex to allow rules (#4827)\n* feat(misconf): Support custom data for rego policies for cloud (#4745)\n* docs: correcting the trivy k8s tutorial (#4815)\n* feat(cli): add --tf-exclude-downloaded-modules flag (#4810)\n* fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)\n* feat(misconf): enable --policy flag to accept directory and files both (#4777)\n* feat(python): add license fields (#4722)\n* fix: support trivy k8s-version on k8s sub-command (#4786)\n\nUpdate to version 0.43.1:\n\n* docs(image): fix the comment on the soft/hard link (#4740)\n* check Type when filling pkgs in vulns (#4776)\n* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)\n* fix(rocky): add architectures support for advisories (#4691)\n* fix: documentation about reseting trivy image (#4733)\n* fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)\n* fix: update Amazon Linux 1 EOL (#4761)\n\nUpdate to version 0.43.0:\n\n* feat(nodejs): support yarn workspaces (#4664)\n* fix(image): pass the secret scanner option to scan the img config (#4735)\n* fix: scan job pod it not found on k8s-1.27.x (#4729)\n* feat(docker): add support for mTLS authentication when connecting to registry (#4649)\n* fix: skip scanning the gpg-pubkey package (#4720)\n* Fix http registry oci pull (#4701)\n* feat(misconf): Support skipping services (#4686)\n* docs: fix supported modes for pubspec.lock files (#4713)\n* fix(misconf): disable the terraform plan analyzer for other scanners (#4714)\n* clarifying a dir path is required for custom policies (#4716)\n* chore: update alpine base images (#4715)\n* fix last-history-created (#4697)\n* feat: kbom and cyclonedx v1.5 spec support (#4708)\n* docs: add information about Aqua (#4590)\n* fix: k8s escape resource filename on windows os (#4693)\n* feat: cyclondx sbom custom property support (#4688)\n* add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)\n* use group field for jar in cyclonedx (#4674)\n* feat(java): capture licenses from pom.xml (#4681)\n* feat(helm): make sessionAffinity configurable (#4623)\n* fix: Show the correct URL of the secret scanning (#4682)\n* document expected file pattern definition format (#4654)\n* fix: format arg error (#4642)\n* feat(k8s): cyclonedx kbom support (#4557)\n* fix(nodejs): remove unused fields for the pnpm lockfile (#4630)\n* fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)\n* fix(debian): update EOL for Debian 12 (#4647)\n* chore: unnecessary use of fmt.Sprintf (S1039) (#4637)\n* fix(db): change argument order in Exists query for JavaDB (#4595)\n* feat(aws): Add support to see successes in results (#4427)\n* feat: trivy k8s private registry support (#4567)\n* docs: add general coverage page (#3859)\n* chore: create SECURITY.md (#4601)\n\nUpdate to version 0.42.1:\n\n* fix(misconf): deduplicate misconf results (#4588)\n* fix(vm): support sector size of 4096 (#4564)\n* fix(misconf): terraform relative paths (#4571)\n* fix(purl): skip unsupported library type (#4577)\n* fix(terraform): recursively detect all Root Modules (#4457)\n* fix(vm): support post analyzer for vm command (#4544)\n* fix(nodejs): change the type of the devDependencies field (#4560)\n* fix(sbom): export empty dependencies in CycloneDX (#4568)\n* refactor: add composite fs for post-analyzers (#4556)\n* feat: add SBOM analyzer (#4210)\n* fix(sbom): update logic for work with files in spdx format (#4513)\n* feat: azure workload identity support (#4489)\n* feat(ubuntu): add eol date for 18.04 ESM (#4524)\n* fix(misconf): Update required extensions for terraformplan (#4523)\n* refactor(cyclonedx): add intermediate representation (#4490)\n* fix(misconf): Remove debug print while scanning (#4521)\n* fix(java): remove duplicates of jar libs (#4515)\n* fix(java): fix overwriting project props in pom.xml (#4498)\n* docs: Update compilation instructions (#4512)\n* fix(nodejs): update logic for parsing pnpm lock files (#4502)\n* fix(secret): remove aws-account-id rule (#4494)\n* feat(oci): add support for referencing an input image by digest (#4470)\n* docs: fixed the format (#4503)\n* fix(java): add support of * for exclusions for pom.xml files (#4501)\n* feat: adding issue template for documentation (#4453)\n* docs: switch glad to ghsa for Go (#4493)\n* feat(misconf): Add terraformplan support (#4342)\n* feat(debian): add digests for dpkg (#4445)\n* feat(k8s): exclude node scanning by node labels (#4459)\n* docs: add info about multi-line mode for regexp from custom secret rules (#4159)\n* feat(cli): convert JSON reports into a different format (#4452)\n* feat(image): add logic to guess base layer for docker-cis scan (#4344)\n* fix(cyclonedx): set original names for packages (#4306)\n* feat: group subcommands (#4449)\n* feat(cli): add retry to cache operations (#4189)\n* fix(vuln): report architecture for `apk` packages (#4247)\n* refactor: enable cases where return values are not needed in pipeline (#4443)\n* fix(image): resolve scan deadlock when error occurs in slow mode (#4336)\n* docs(misconf): Update docs for kubernetes file patterns (#4435)\n* test: k8s integration tests (#4423)\n* feat(redhat): add package digest for rpm (#4410)\n* feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167)\n* fix: typo (#4431)\n* add user instruction to imgconf (#4429)\n* fix(k8s): add image sources (#4411)\n* docs(scanning): Add versioning banner (#4415)\n* feat(cli): add mage command to update golden integration test files (#4380)\n* feat: node-collector custom namespace support (#4407)\n* refactor(sbom): use multiline json for spdx-json format (#4404)\n* fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)\n* refactor: code-optimization (#4214)\n* feat(image): Add image-src flag to specify which runtime(s) to use (#4047)\n* test: skip wrong update of test golden files (#4379)\n* refactor: don\u0027t return error for package.json without version/name (#4377)\n* docs: cmd error (#4376)\n* test(cli): add test for config file and env combination (#2666)\n* fix(report): set a correct file location for license scan output (#4326)\n* chore(alpine): Update Alpine to 3.18 (#4351)\n* fix(alpine): add EOL date for Alpine 3.18 (#4308)\n* feat: allow root break for mapfs (#4094)\n* docs(misconf): Remove examples.md (#4256)\n* fix(ubuntu): update eol dates for Ubuntu (#4258)\n* feat(alpine): add digests for apk packages (#4168)\n* chore: add discussion templates (#4190)\n* fix(terraform): Support tfvars (#4123)\n* chore: separate docs:generate (#4242)\n* refactor: define vulnerability scanner interfaces (#4117)\n* feat: unified k8s scan resources (#4188)\n* chore: trivy bin ignore (#4212)\n* feat(image): enforce image platform (#4083)\n* fix(ubuntu): fix version selection logic for ubuntu esm (#4171)\n* chore: install.sh support for windows (#4155)\n* docs: moving skipping files out of others (#4154)\n\nUpdate to version 0.41.0:\n\n* fix(spdx): add workaround for no src packages (#4118)\n* test(golang): rename broken go.mod (#4129)\n* feat(sbom): add supplier field (#4122)\n* test(misconf): skip downloading of policies for tests #4126\n* refactor: use debug message for post-analyze errors (#4037)\n* feat(sbom): add VEX support (#4053)\n* feat(sbom): add primary package purpose field for SPDX (#4119)\n* fix(k8s): fix quiet flag (#4120)\n* fix(python): parse of pip extras (#4103)\n* feat(java): use full path for nested jars (#3992)\n* feat(license): add new flag for classifier confidence level (#4073)\n* feat: config and fs compliance support (#4097)\n* feat(spdx): add support for SPDX 2.3 (#4058)\n* fix: k8s all-namespaces support (#4096)\n* perf(misconf): replace with post-analyzers (#4090)\n* fix(helm): update networking API version detection (#4106)\n* feat(image): custom docker host option (#3599)\n* style: debug flag is incorrect and needs extra - (#4087)\n* docs(vuln): Document inline vulnerability filtering comments (#4024)\n* feat(fs): customize error callback during fs walk (#4038)\n* fix(ubuntu): skip copyright files from subfolders (#4076)\n* docs: restructure scanners (#3977)\n* fix: fix `file does not exist` error for post-analyzers (#4061)\n\nUpdate to version 0.40.0:\n\n* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)\n* fix: return insecure option to download javadb (#4064)\n* fix(nodejs): don\u0027t stop parsing when unsupported yarn.lock protocols are found (#4052)\n* fix(k8s): current context title (#4055)\n* fix(k8s): quit support on k8s progress bar (#4021)\n* chore: add a note about Dockerfile.canary (#4050)\n* fix(vuln): report architecture for debian packages (#4032)\n* feat: add support for Chainguard\u0027s commercial distro (#3641)\n* fix(vuln): fix error message for remote scanners (#4031)\n* feat(report): add image metadata to SARIF (#4020)\n* docs: fix broken cache link on Installation page (#3999)\n* fix: lock downloading policies and database (#4017)\n* fix: avoid concurrent access to the global map (#4014)\n* feat(rust): add Cargo.lock v3 support (#4012)\n* feat: auth support oci download server subcommand (#4008)\n* chore: install.sh support for armv7 (#3985)\n\nUpdate to version 0.39.1:\n\n* fix(rust): fix panic when \u0027dependencies\u0027 field is not used in cargo.toml (#3997)\n* fix(sbom): fix infinite loop for cyclonedx (#3998)\n* fix: use warning for errors from enrichment files for post-analyzers (#3972)\n* fix(helm): added annotation to psp configurable from values (#3893)\n* fix(secret): update built-in rule `tests` (#3855)\n* test: rewrite scripts in Go (#3968)\n* docs(cli): Improve glob documentation (#3945)\n\nUpdate to version 0.39.0:\n\n* docs(cli): added makefile and go file to create docs (#3930)\n* feat(cyclonedx): support dependency graph (#3177)\n* feat(server): redis with public TLS certs support (#3783)\n* feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866)\n* chore: replace make with mage (#3932)\n* fix(sbom): add checksum to files (#3888)\n* chore: remove unused mount volumes (#3927)\n* feat: add auth support for downloading OCI artifacts (#3915)\n* refactor(purl): use epoch in qualifier (#3913)\n* feat(image): add registry options (#3906)\n* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)\n* feat(php): add support for location, licenses and graph for composer.lock files (#3873)\n* feat(image): discover SBOM in OCI referrers (#3768)\n* docs: change cache-dir key in config file (#3897)\n* fix(sbom): use release and epoch for SPDX package version (#3896)\n* docs: Update incorrect comment for skip-update flag (#3878)\n* refactor(misconf): simplify policy filesystem (#3875)\n* feat(nodejs): parse package.json alongside yarn.lock (#3757)\n* fix(spdx): add PkgDownloadLocation field (#3879)\n* chore(amazon): update EOL (#3876)\n* fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)\n* feat(amazon): add al2023 support (#3854)\n* docs(misconf): Add information about selectors (#3703)\n* docs(cli): update CLI docs with cobra (#3815)\n* feat: k8s parallel processing (#3693)\n* docs: add DefectDojo in the Security Management section (#3871)\n* refactor: add pipeline (#3868)\n* feat(cli): add javadb metadata to version info (#3835)\n* feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)\n* feat: add node toleration option (#3823)\n* fix: allow mapfs to open dirs (#3867)\n* fix(report): update uri only for os class targets (#3846)\n* feat(nodejs): Add v3 npm lock file support (#3826)\n* feat(nodejs): parse package.json files alongside package-lock.json (#2916)\n* docs(misconf): Fix links to built in policies (#3841)\n\nUpdate to version 0.38.3:\n\n from 1.86.1 to 1.89.1\n* fix(java): skip empty files for jar post analyzer\n* fix(docker): build healthcheck command for line without\n /bin/sh prefix\n* refactor(license): use goyacc for license parser (#3824)\n 23.0.0-rc.1+incompatible to 23.0.1+incompatible\n* fix: populate timeout context to node-collector\n* fix: exclude node collector scanning (#3771)\n* fix: display correct flag in error message when skipping\n java db update #3808\n* fix: disable jar analyzer for scanners other than vuln (#3810)\n* fix(sbom): fix incompliant license format for spdx (#3335)\n* fix(java): the project props take precedence over the\n parent\u0027s props (#3320)\n* docs: add canary build info to README.md (#3799)\n* docs: adding link to gh token generation (#3784)\n* docs: changing docs in accordance with #3460 (#3787)\n\nUpdate to version 0.38.2:\n\n* fix(license): disable jar analyzer for licence scan only (#3780)\n* bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781)\n* fix: skip checking dirs for required post-analyzers (#3773)\n* docs: add information about plugin format (#3749)\n* fix(sbom): add trivy version to spdx creators tool field (#3756)\n\nUpdate to version 0.38.1:\n\n* feat(misconf): Add support to show policy bundle version (#3743)\n* fix(python): fix error with optional dependencies in pyproject.toml (#3741)\n* add id for package.json files (#3750)\n\nUpdate to version 0.38.0:\n\n* fix(cli): pass integer to exit-on-eol (#3716)\n* feat: add kubernetes pss compliance (#3498)\n* feat: Adding --module-dir and --enable-modules (#3677)\n* feat: add special IDs for filtering secrets (#3702)\n* docs(misconf): Add guide on input schema (#3692)\n* feat(go): support dependency graph and show only direct dependencies in the tree (#3691)\n* feat: docker multi credential support (#3631)\n* feat: summarize vulnerabilities in compliance reports (#3651)\n* feat(python): parse pyproject.toml alongside poetry.lock (#3695)\n* feat(python): add dependency tree for poetry lock file (#3665)\n* fix(cyclonedx): incompliant affect ref (#3679)\n* chore(helm): update skip-db-update environment variable (#3657)\n* fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)\n* fix(sbom): export empty dependencies in CycloneDX (#3664)\n* docs: java-db air-gap doc tweaks (#3561)\n* feat(go): license support (#3683)\n* feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)\n* fix(k8s): k8s label size (#3678)\n* fix(cyclondx): fix array empty value, null to [] (#3676)\n* refactor: rewrite gomod analyzer as post-analyzer (#3674)\n* feat: config outdated-api result filtered by k8s version (#3578)\n* fix: Update to Alpine 3.17.2 (#3655)\n* feat: add support for virtual files (#3654)\n* feat: add post-analyzers (#3640)\n* feat(python): add dependency locations for Pipfile.lock (#3614)\n* fix(java): fix groupID selection by ArtifactID for jar files. (#3644)\n* fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)\n* feat(cli): add command completion (#3061)\n* docs(misconf): update dockerfile link (#3627)\n* feat(flag): add exit-on-eosl option (#3423)\n* fix(cli): make java db repository configurable (#3595)\n* chore: bump trivy-kubernetes (#3613)\n ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-268",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0268-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0268-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6XAQOEGAUMX4BBTNYDJHKA4H3VD5H2PQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0268-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6XAQOEGAUMX4BBTNYDJHKA4H3VD5H2PQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1224781",
"url": "https://bugzilla.suse.com/1224781"
},
{
"category": "self",
"summary": "SUSE Bug 1227022",
"url": "https://bugzilla.suse.com/1227022"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35192 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35192/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6257 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6257/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2024-08-30T08:00:39Z",
"generator": {
"date": "2024-08-30T08:00:39Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0268-1",
"initial_release_date": "2024-08-30T08:00:39Z",
"revision_history": [
{
"date": "2024-08-30T08:00:39Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp155.2.3.1.aarch64",
"product": {
"name": "trivy-0.54.1-bp155.2.3.1.aarch64",
"product_id": "trivy-0.54.1-bp155.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp155.2.3.1.i586",
"product": {
"name": "trivy-0.54.1-bp155.2.3.1.i586",
"product_id": "trivy-0.54.1-bp155.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp155.2.3.1.ppc64le",
"product": {
"name": "trivy-0.54.1-bp155.2.3.1.ppc64le",
"product_id": "trivy-0.54.1-bp155.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp155.2.3.1.s390x",
"product": {
"name": "trivy-0.54.1-bp155.2.3.1.s390x",
"product_id": "trivy-0.54.1-bp155.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp155.2.3.1.x86_64",
"product": {
"name": "trivy-0.54.1-bp155.2.3.1.x86_64",
"product_id": "trivy-0.54.1-bp155.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.i586 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.ppc64le as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.s390x as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.i586 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
},
"product_reference": "trivy-0.54.1-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:39Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2024-35192",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35192"
}
],
"notes": [
{
"category": "general",
"text": "Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35192",
"url": "https://www.suse.com/security/cve/CVE-2024-35192"
},
{
"category": "external",
"summary": "SUSE Bug 1224781 for CVE-2024-35192",
"url": "https://bugzilla.suse.com/1224781"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:39Z",
"details": "low"
}
],
"title": "CVE-2024-35192"
},
{
"cve": "CVE-2024-6257",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6257"
}
],
"notes": [
{
"category": "general",
"text": "HashiCorp\u0027s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6257",
"url": "https://www.suse.com/security/cve/CVE-2024-6257"
},
{
"category": "external",
"summary": "SUSE Bug 1227011 for CVE-2024-6257",
"url": "https://bugzilla.suse.com/1227011"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.i586",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.s390x",
"SUSE Package Hub 15 SP5:trivy-0.54.1-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.i586",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.ppc64le",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.s390x",
"openSUSE Leap 15.5:trivy-0.54.1-bp155.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:39Z",
"details": "important"
}
],
"title": "CVE-2024-6257"
}
]
}
OPENSUSE-SU-2025:15361-1
Vulnerability from csaf_opensuse - Published: 2025-07-20 00:00 - Updated: 2025-07-20 00:00Summary
busybox-1.37.0-5.1 on GA media
Notes
Title of the patch
busybox-1.37.0-5.1 on GA media
Description of the patch
These are all security issues fixed in the busybox-1.37.0-5.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15361
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "busybox-1.37.0-5.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the busybox-1.37.0-5.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15361",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15361-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42364 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42364/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42365 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42365/"
}
],
"title": "busybox-1.37.0-5.1 on GA media",
"tracking": {
"current_release_date": "2025-07-20T00:00:00Z",
"generator": {
"date": "2025-07-20T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15361-1",
"initial_release_date": "2025-07-20T00:00:00Z",
"revision_history": [
{
"date": "2025-07-20T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-5.1.aarch64",
"product": {
"name": "busybox-1.37.0-5.1.aarch64",
"product_id": "busybox-1.37.0-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-5.1.aarch64",
"product": {
"name": "busybox-static-1.37.0-5.1.aarch64",
"product_id": "busybox-static-1.37.0-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-5.1.aarch64",
"product": {
"name": "busybox-testsuite-1.37.0-5.1.aarch64",
"product_id": "busybox-testsuite-1.37.0-5.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-5.1.aarch64",
"product": {
"name": "busybox-warewulf3-1.37.0-5.1.aarch64",
"product_id": "busybox-warewulf3-1.37.0-5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-5.1.ppc64le",
"product": {
"name": "busybox-1.37.0-5.1.ppc64le",
"product_id": "busybox-1.37.0-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-5.1.ppc64le",
"product": {
"name": "busybox-static-1.37.0-5.1.ppc64le",
"product_id": "busybox-static-1.37.0-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-5.1.ppc64le",
"product": {
"name": "busybox-testsuite-1.37.0-5.1.ppc64le",
"product_id": "busybox-testsuite-1.37.0-5.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-5.1.ppc64le",
"product": {
"name": "busybox-warewulf3-1.37.0-5.1.ppc64le",
"product_id": "busybox-warewulf3-1.37.0-5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-5.1.s390x",
"product": {
"name": "busybox-1.37.0-5.1.s390x",
"product_id": "busybox-1.37.0-5.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-5.1.s390x",
"product": {
"name": "busybox-static-1.37.0-5.1.s390x",
"product_id": "busybox-static-1.37.0-5.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-5.1.s390x",
"product": {
"name": "busybox-testsuite-1.37.0-5.1.s390x",
"product_id": "busybox-testsuite-1.37.0-5.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-5.1.s390x",
"product": {
"name": "busybox-warewulf3-1.37.0-5.1.s390x",
"product_id": "busybox-warewulf3-1.37.0-5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-5.1.x86_64",
"product": {
"name": "busybox-1.37.0-5.1.x86_64",
"product_id": "busybox-1.37.0-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-5.1.x86_64",
"product": {
"name": "busybox-static-1.37.0-5.1.x86_64",
"product_id": "busybox-static-1.37.0-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-5.1.x86_64",
"product": {
"name": "busybox-testsuite-1.37.0-5.1.x86_64",
"product_id": "busybox-testsuite-1.37.0-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-5.1.x86_64",
"product": {
"name": "busybox-warewulf3-1.37.0-5.1.x86_64",
"product_id": "busybox-warewulf3-1.37.0-5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64"
},
"product_reference": "busybox-1.37.0-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le"
},
"product_reference": "busybox-1.37.0-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x"
},
"product_reference": "busybox-1.37.0-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64"
},
"product_reference": "busybox-1.37.0-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x"
},
"product_reference": "busybox-static-1.37.0-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64"
},
"product_reference": "busybox-testsuite-1.37.0-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le"
},
"product_reference": "busybox-testsuite-1.37.0-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x"
},
"product_reference": "busybox-testsuite-1.37.0-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64"
},
"product_reference": "busybox-testsuite-1.37.0-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64"
},
"product_reference": "busybox-warewulf3-1.37.0-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le"
},
"product_reference": "busybox-warewulf3-1.37.0-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x"
},
"product_reference": "busybox-warewulf3-1.37.0-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
},
"product_reference": "busybox-warewulf3-1.37.0-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42364"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42364",
"url": "https://www.suse.com/security/cve/CVE-2023-42364"
},
{
"category": "external",
"summary": "SUSE Bug 1217584 for CVE-2023-42364",
"url": "https://bugzilla.suse.com/1217584"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42365"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42365",
"url": "https://www.suse.com/security/cve/CVE-2023-42365"
},
{
"category": "external",
"summary": "SUSE Bug 1217585 for CVE-2023-42365",
"url": "https://bugzilla.suse.com/1217585"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:busybox-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-static-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-testsuite-1.37.0-5.1.x86_64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.aarch64",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.ppc64le",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.s390x",
"openSUSE Tumbleweed:busybox-warewulf3-1.37.0-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-42365"
}
]
}
OPENSUSE-SU-2024:0269-1
Vulnerability from csaf_opensuse - Published: 2024-08-30 08:00 - Updated: 2024-08-30 08:00Summary
Security update for trivy
Notes
Title of the patch
Security update for trivy
Description of the patch
trivy was updated to fix the following issues:
Update to version 0.54.1:
* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
* release: v0.54.0 [main] (#7075)
* docs: update ecosystem page reporting with plopsec.com app (#7262)
* feat(vex): retrieve VEX attestations from OCI registries (#7249)
* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)
* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)
* chore: show VEX notice for OSS maintainers in CI environments (#7246)
* feat(vuln): add `--pkg-relationships` (#7237)
* docs: show VEX cli pages + update config file page for VEX flags (#7244)
* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)
* feat(vex): VEX Repository support (#7206)
* fix(secret): skip regular strings contain secret patterns (#7182)
* feat: share build-in rules (#7207)
* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
* fix(cli): error on missing config file (#7154)
* fix(secret): update length of `hugging-face-access-token` (#7216)
* feat(sbom): add vulnerability support for SPDX formats (#7213)
* fix(secret): trim excessively long lines (#7192)
* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
* fix(server): pass license categories to options (#7203)
* feat(mariner): Add support for Azure Linux (#7186)
* docs: updates config file (#7188)
* refactor(fs): remove unused field for CompositeFS (#7195)
* fix: add missing platform and type to spec (#7149)
* feat(misconf): enabled China configuration for ACRs (#7156)
* fix: close file when failed to open gzip (#7164)
* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
* docs(misconf): add info about limitations for terraform plan json (#7143)
* chore: add VEX for Trivy images (#7140)
* chore: add VEX document and generator for Trivy (#7128)
* fix(misconf): do not evaluate TF when a load error occurs (#7109)
* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
* refactor(secret): move warning about file size after `IsBinary` check (#7123)
* feat: add openSUSE tumbleweed detection and scanning (#6965)
* test: add missing advisory details for integration tests database (#7122)
* fix: Add dependencyManagement exclusions to the child exclusions (#6969)
* fix: ignore nodes when listing permission is not allowed (#7107)
* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
* refactor(secret): add warning about large files (#7085)
* feat(nodejs): add license parser to pnpm analyser (#7036)
* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
* feat: add `log.FilePath()` function for logger (#7080)
* chore: bump golangci-lint from v1.58 to v1.59 (#7077)
* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)
* refactor: pass DB dir to trivy-db (#7057)
* docs: navigate to the release highlights and summary (#7072)
Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):
* release: v0.53.0 [main] (#6855)
* feat(conda): add licenses support for `environment.yml` files (#6953)
* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
* feat: add memory cache backend (#7048)
* fix(sbom): use package UIDs for uniqueness (#7042)
* feat(php): add installed.json file support (#4865)
* docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
* fix: use embedded when command path not found (#7037)
* refactor: use google/wire for cache (#7024)
* fix(cli): show info message only when --scanners is available (#7032)
* chore: enable float-compare rule from testifylint (#6967)
* docs: Add sudo on commands, chmod before mv on install docs (#7009)
* fix(plugin): respect `--insecure` (#7022)
* feat(k8s)!: node-collector dynamic commands support (#6861)
* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)
* feat!: add clean subcommand (#6993)
* chore: use `!` for breaking changes (#6994)
* feat(aws)!: Remove aws subcommand (#6995)
* refactor: replace global cache directory with parameter passing (#6986)
* fix(sbom): use `purl` for `bitnami` pkg names (#6982)
* chore: bump Go toolchain version (#6984)
* refactor: unify cache implementations (#6977)
* docs: non-packaged and sbom clarifications (#6975)
* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)
* docs: delete unknown URL (#6972)
* refactor: use version-specific URLs for documentation references (#6966)
* refactor: delete db mock (#6940)
* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
* feat: Add local ImageID to SARIF metadata (#6522)
* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)
* fix(purl): add missed os types (#6955)
* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)
* fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)
* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)
* fix(misconf): handle source prefix to ignore (#6945)
* fix(misconf): fix parsing of engine links and frameworks (#6937)
* feat(misconf): support of selectors for all providers for Rego (#6905)
* fix(license): return license separation using separators `,`, `or`, etc. (#6916)
* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
* BREAKING(misconf): flatten recursive types (#6862)
* test: bump docker API to 1.45 (#6914)
* feat(sbom): migrate to `CycloneDX v1.6` (#6903)
* feat(image): Set User-Agent header for Trivy container registry requests (#6868)
* fix(debian): take installed files from the origin layer (#6849)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)
* feat(misconf): API Gateway V1 support for CloudFormation (#6874)
* feat(plugin): add support for nested archives (#6845)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)
* fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)
* chore: auto label discussions (#5259)
* docs: explain how VEX is applied (#6864)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
* feat(dart): use first version of constraint for dependencies using SDK version (#6239)
* fix(misconf): parsing numbers without fraction as int (#6834)
* fix(misconf): fix caching of modules in subdirectories (#6814)
* feat(misconf): add metadata to Cloud schema (#6831)
* test: replace embedded Git repository with dynamically created repository (#6824)
Update to version 0.52.2:
* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
Update to version 0.52.1:
* release: v0.52.1 [release/v0.52] (#6877)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
* docs: explain how VEX is applied (#6864)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):
* release: v0.52.0 [main] (#6809)
* fix(plugin): initialize logger (#6836)
* fix(cli): always output fatal errors to stderr (#6827)
* fix: close testfile (#6830)
* docs(julia): add scanner table (#6826)
* feat(python): add license support for `requirement.txt` files (#6782)
* docs: add more workarounds for out-of-disk (#6821)
* chore: improve error message for image not found (#6822)
* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)
* fix: clean up golangci lint configuration (#6797)
* fix(python): add package name and version validation for `requirements.txt` files. (#6804)
* feat(vex): improve relationship support in CSAF VEX (#6735)
* chore(alpine): add eol date for Alpine 3.20 (#6800)
* docs(plugin): add missed `plugin` section (#6799)
* fix: include packages unless it is not needed (#6765)
* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
* chore: replace interface{} with any (#6751)
* fix: close settings.xml (#6768)
* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)
* build: use main package instead of main.go (#6766)
* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
* docs: add info on adding compliance checks (#6275)
* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
* feat(nodejs): add v9 pnpm lock file support (#6617)
* feat(vex): support non-root components for products in OpenVEX (#6728)
* feat(python): add line number support for `requirement.txt` files (#6729)
* chore: respect timeout value in .golangci.yaml (#6724)
* fix: node-collector high and critical cves (#6707)
* Merge pull request from GHSA-xcq4-m2r3-cmrj
* chore: auto-bump golang patch versions (#6711)
* fix(misconf): don't shift ignore rule related to code (#6708)
* feat(plugin): specify plugin version (#6683)
* chore: enforce golangci-lint version (#6700)
* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)
* fix(go): add only non-empty root modules for `gobinaries` (#6710)
* refactor: unify package addition and vulnerability scanning (#6579)
* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
* feat(misconf): Add support for deprecating a check (#6664)
* feat: Add Julia language analyzer support (#5635)
* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
* fix(report): hide empty tables if all vulns has been filtered (#6352)
* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
* feat: add support for plugin index (#6674)
* docs: add support table for client server mode (#6498)
* fix: close APKINDEX archive file (#6672)
* fix(misconf): skip Rego errors with a nil location (#6666)
* refactor: move artifact types under artifact package to avoid import cycles (#6652)
* refactor(misconf): remove extrafs (#6656)
* refactor: re-define module structs for serialization (#6655)
* chore(misconf): Clean up iac logger (#6642)
* feat(misconf): support symlinks inside of Helm archives (#6621)
* feat(misconf): add Terraform 'removed' block to schema (#6640)
* refactor: unify Library and Package structs (#6633)
* fix: use of specified context to obtain cluster name (#6645)
* perf(misconf): parse rego input once (#6615)
* fix(misconf): skip Rego errors with a nil location (#6638)
* docs: link warning to both timeout config options (#6620)
* docs: fix usage of image-config-scanners (#6635)
Update to version 0.51.1:
* fix(fs): handle default skip dirs properly (#6628)
* fix(misconf): load cached tf modules (#6607)
* fix(misconf): do not use semver for parsing tf module versions (#6614)
* refactor: move setting scanners when using compliance reports to flag parsing (#6619)
* feat: introduce package UIDs for improved vulnerability mapping (#6583)
* perf(misconf): Improve cause performance (#6586)
* docs: trivy-k8s new experiance remove un-used section (#6608)
* docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
* feat(misconf): Use updated terminology for misconfiguration checks (#6476)
* docs: use `generic` link from `trivy-repo` (#6606)
* docs: update trivy k8s with new experience (#6465)
* feat: support `--skip-images` scanning flag (#6334)
* BREAKING: add support for k8s `disable-node-collector` flag (#6311)
* feat: add ubuntu 23.10 and 24.04 support (#6573)
* docs(go): add stdlib (#6580)
* feat(go): parse main mod version from build info settings (#6564)
* feat: respect custom exit code from plugin (#6584)
* docs: add asdf and mise installation method (#6063)
* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
* feat: add support `environment.yaml` files (#6569)
* fix: close plugin.yaml (#6577)
* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
* feat(go): add main module (#6574)
* feat: add relationships (#6563)
* docs: mention `--show-suppressed` is available in table (#6571)
* chore: fix sqlite to support loong64 (#6511)
* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
* docs: update info about config file (#6547)
* docs: remove RELEASE_VERSION from trivy.repo (#6546)
* fix(sbom): change error to warning for multiple OSes (#6541)
* fix(vuln): skip empty versions (#6542)
* feat(c): add license support for conan lock files (#6329)
* fix(terraform): Attribute and fileset fixes (#6544)
* refactor: change warning if no vulnerability details are found (#6230)
* refactor(misconf): improve error handling in the Rego scanner (#6527)
* feat(go): parse main module of go binary files (#6530)
* refactor(misconf): simplify the retrieval of module annotations (#6528)
* docs(nodejs): add info about supported versions of pnpm lock files (#6510)
* feat(misconf): loading embedded checks as a fallback (#6502)
* fix(misconf): Parse JSON k8s manifests properly (#6490)
* refactor: remove parallel walk (#5180)
* fix: close pom.xml (#6507)
* fix(secret): convert severity for custom rules (#6500)
* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
* fix: typo (#6283)
* docs(k8s,image): fix command-line syntax issues (#6403)
* fix(misconf): avoid panic if the scheme is not valid (#6496)
* feat(image): goversion as stdlib (#6277)
* fix: add color for error inside of log message (#6493)
* docs: fix links to OPA docs (#6480)
* refactor: replace zap with slog (#6466)
* docs: update links to IaC schemas (#6477)
* chore: bump Go to 1.22 (#6075)
* refactor(terraform): sync funcs with Terraform (#6415)
* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
* fix(terraform): eval submodules (#6411)
* refactor(terraform): remove unused options (#6446)
* refactor(terraform): remove unused file (#6445)
* fix(misconf): Escape template value correctly (#6292)
* feat(misconf): add support for wildcard ignores (#6414)
* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
* refactor(terraform): remove metrics collection (#6444)
* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
* fix(db): check schema version for image name only (#6410)
* feat(misconf): Support private registries for misconf check bundle (#6327)
* feat(cloudformation): inline ignore support for YAML templates (#6358)
* feat(terraform): ignore resources by nested attributes (#6302)
* perf(helm): load in-memory files (#6383)
* feat(aws): apply filter options to result (#6367)
* feat(aws): quiet flag support (#6331)
* fix(misconf): clear location URI for SARIF (#6405)
* test(cloudformation): add CF tests (#6315)
* fix(cloudformation): infer type after resolving a function (#6406)
* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
* fix: use `0600` perms for tmp files for post analyzers (#6386)
* fix(helm): scan the subcharts once (#6382)
* docs(terraform): add file patterns for Terraform Plan (#6393)
* fix(terraform): сhecking SSE encryption algorithm validity (#6341)
* fix(java): parse modules from `pom.xml` files once (#6312)
* fix(server): add Locations for `Packages` in client/server mode (#6366)
* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
* fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
* feat(java): add support licenses and graph for gradle lock files (#6140)
* feat(vex): consider root component for relationships (#6313)
* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
* chore: updates wazero to v1.7.0 (#6301)
* feat(sbom): Support license detection for SBOM scan (#6072)
* refactor(sbom): use intermediate representation for SPDX (#6310)
* docs(terraform): improve documentation for filtering by inline comments (#6284)
* fix(terraform): fix policy document retrieval (#6276)
* refactor(terraform): remove unused custom error (#6303)
* refactor(sbom): add intermediate representation for BOM (#6240)
* fix(amazon): check only major version of AL to find advisories (#6295)
* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
* fix(nodejs): add name validation for package name from `package.json` (#6268)
* docs: Added install instructions for FreeBSD (#6293)
* feat(image): customer podman host or socket option (#6256)
* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
* fix(license): reorder logic of how python package licenses are acquired (#6220)
* test(terraform): skip cached modules (#6281)
* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
* fix(cloudformation): support of all SSE algorithms for s3 (#6270)
* feat(terraform): Terraform Plan snapshot scanning support (#6176)
* fix: typo function name and comment optimization (#6200)
* fix(java): don't ignore runtime scope for pom.xml files (#6223)
* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
* test(k8s): use test-db for k8s integration tests (#6222)
* fix(terraform): fix root module search (#6160)
* test(parser): squash test data for yarn (#6203)
* fix(terraform): do not re-expand dynamic blocks (#6151)
* docs: update ecosystem page reporting with db app (#6201)
* fix: k8s summary separate infra and user finding results (#6120)
* fix: add context to target finding on k8s table view (#6099)
* fix: Printf format err (#6198)
* refactor: better integration of the parser into Trivy (#6183)
* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
* fix(vex): CSAF filtering should consider relationships (#5923)
* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
* feat(vuln): ignore vulnerabilities by PURL (#6178)
* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
* feat(k8s): rancher rke2 version support (#5988)
* docs: update kbom distribution for scanning (#6019)
* chore: update CODEOWNERS (#6173)
* fix(swift): try to use branch to resolve version (#6168)
* fix(terraform): ensure consistent path handling across OS (#6161)
* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
* fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
* docs: update template path for gitlab-ci tutorial (#6144)
* feat(report): support for filtering licenses and secrets via rego policy files (#6004)
* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
* docs: add SecObserve in CI/CD and reporting (#6139)
* fix(alpine): exclude empty licenses for apk packages (#6130)
* docs: add docs tutorial on custom policies with rego (#6104)
* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
* feat(vuln): show suppressed vulnerabilities in table (#6084)
* docs: rename governance to principles (#6107)
* docs: add governance (#6090)
* feat(java): add dependency location support for `gradle` files (#6083)
* fix(misconf): get `user` from `Config.User` (#6070)
Update to version 0.49.1:
* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
* docs: Fix broken link to 'pronunciation' (#6057)
* fix: fix cursor usage in Redis Clear function (#6056)
* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
* test: fix flaky `TestDockerEngine` (#6054)
* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
* docs: add note about Bun (#6001)
* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
* fix: check returned error before deferring f.Close() (#6007)
* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
* feat(vuln): enable `--vex` for all targets (#5992)
* docs: update link to data sources (#6000)
* feat(java): add support for line numbers for pom.xml files (#5991)
* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
* docs: Update troubleshooting guide with image not found error (#5983)
* style: update band logos (#5968)
* docs: update cosign tutorial and commands, update kyverno policy (#5929)
* docs: update command to scan go binary (#5969)
* fix: handle non-parsable images names (#5965)
* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
* fix(alpine): Add EOL support for alpine 3.19. (#5938)
* feat: allow end-users to adjust K8S client QPS and burst (#5910)
* fix(nodejs): find licenses for packages with slash (#5836)
* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)
* fix: ignore no init containers (#5939)
* docs: Fix documentation of ecosystem (#5940)
* docs(misconf): multiple ignores in comment (#5926)
* fix(secret): find aws secrets ending with a comma or dot (#5921)
* docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)
* feat(vex): add PURL matching for CSAF VEX (#5890)
* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)
* revert(report): don't escape new line characters for sarif format (#5897)
* docs: improve filter by rego (#5402)
* docs: add_scan2html_to_trivy_ecosystem (#5875)
* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
* feat(vex): Add support for CSAF format (#5535)
* feat(python): parse licenses from dist-info folder (#4724)
* feat(nodejs): add yarn alias support (#5818)
* refactor: propagate time through context values (#5858)
* refactor: move PkgRef under PkgIdentifier (#5831)
* fix(cyclonedx): fix unmarshal for licenses (#5828)
* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
Update to version 0.48.1:
* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
* refactor(sbom): disable html escaping for CycloneDX (#5764)
* refactor(purl): use `pub` from `package-url` (#5784)
* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)
* fix(report): use OS information for OS packages purl in `github` template (#5783)
* fix(report): fix error if miconfigs are empty (#5782)
* refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
* fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
* fix(report): update Gitlab template (#5721)
* feat(secret): add support of GitHub fine-grained tokens (#5740)
* fix(misconf): add an image misconf to result (#5731)
* feat(secret): added support of Docker registry credentials (#5720)
Update to version 0.48.0:
* feat: filter k8s core components vuln results (#5713)
* feat(vuln): remove duplicates in Fixed Version (#5596)
* feat(report): output plugin (#4863)
* docs: typo in modules.md (#5712)
* feat: Add flag to configure node-collector image ref (#5710)
* feat(misconf): Add `--misconfig-scanners` option (#5670)
* chore: bump Go to 1.21 (#5662)
* feat: Packagesprops support (#5605)
* docs: update adopters discussion template (#5632)
* docs: terraform tutorial links updated to point to correct loc (#5661)
* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)
* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)
* docs: Update Arch Linux package URL in installation.md (#5619)
* chore: add prefix to image errors (#5601)
* docs(vuln): fix link anchor (#5606)
* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
* fix: k8s friendly error messages kbom non cluster scans (#5594)
* feat: set InstalledFiles for DEB and RPM packages (#5488)
* fix(report): use time.Time for CreatedAt (#5598)
* test: retry containerd initialization (#5597)
* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)
* test: mock VM walker (#5589)
* chore: bump node-collector v0.0.9 (#5591)
* feat(misconf): Add support for `--cf-params` for CFT (#5507)
* feat(flag): replace '--slow' with '--parallel' (#5572)
* fix(report): add escaping for Sarif format (#5568)
* chore: show a deprecation notice for `--scanners config` (#5587)
* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
* test: mock RPM DB (#5567)
* feat: add aliases to '--scanners' (#5558)
* refactor: reintroduce output writer (#5564)
* chore: not load plugins for auto-generating docs (#5569)
* chore: sort supported AWS services (#5570)
* fix: no schedule toleration (#5562)
* fix(cli): set correct `scanners` for `k8s` target (#5561)
* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)
* refactor(misconf): Update refactored dependencies (#5245)
* feat(secret): add built-in rule for JWT tokens (#5480)
* fix: trivy k8s parse ecr image with arn (#5537)
* fix: fail k8s resource scanning (#5529)
* refactor(misconf): don't remove Highlighted in json format (#5531)
* docs(k8s): fix link in kubernetes.md (#5524)
* docs(k8s): fix whitespace in list syntax (#5525)
Update to version 0.47.0:
* docs: add info that license scanning supports file-patterns flag (#5484)
* docs: add Zora integration into Ecosystem session (#5490)
* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
* fix: correct error mismatch causing race in fast walks (#5516)
* docs: k8s vulnerability scanning (#5515)
* docs: remove glad for java datasources (#5508)
* chore: remove unused logger attribute in amazon detector (#5476)
* fix: correct error mismatch causing race in fast walks (#5482)
* fix(server): add licenses to `BlobInfo` message (#5382)
* feat: scan vulns on k8s core component apps (#5418)
* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
* fix(sbom): save digests for package/application when scanning SBOM files (#5432)
* docs: fix the broken link (#5454)
* docs: fix error when installing `PyYAML` for gh pages (#5462)
* fix(java): download java-db once (#5442)
* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
* feat(misconf): Support `--ignore-policy` in config scans (#5359)
* docs(misconf): fix broken table for `Use container image` section (#5425)
* feat(dart): add graph support (#5374)
* refactor: define a new struct for scan targets (#5397)
* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
* docs: remove --scanners none (#5384)
* docs: Update container_image.md #5182 (#5193)
* feat(report): Add `InstalledFiles` field to Package (#4706)
* feat(k8s): add support for vulnerability detection (#5268)
* fix(python): override BOM in `requirements.txt` files (#5375)
* docs: add kbom documentation (#5363)
* test: use maximize build space for VM tests (#5362)
* fix(report): add escaping quotes in misconfig Title for asff template (#5351)
* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
* fix: add config files to FS for post-analyzers (#5333)
* fix: fix MIME warnings after updating to Go 1.20 (#5336)
* build: fix a compile error with Go 1.21 (#5339)
* feat: added `Metadata` into the k8s resource's scan report (#5322)
* chore: update adopters template (#5330)
* fix(sbom): use PURL or Group and Name in case of Java (#5154)
* docs: add buildkite repository to ecosystem page (#5316)
* chore: enable go-critic (#5302)
* close java-db client (#5273)
* fix(report): removes git::http from uri in sarif (#5244)
* Improve the meaning of sentence (#5301)
* add app nil check (#5274)
* typo: in secret.md (#5281)
* docs: add info about `github` format (#5265)
* feat(dotnet): add license support for NuGet (#5217)
* docs: correctly export variables (#5260)
* chore: Add line numbers for lint output (#5247)
* chore(cli): disable java-db flags in server mode (#5263)
* feat(db): allow passing registry options (#5226)
* refactor(purl): use TypeApk from purl (#5232)
* chore: enable more linters (#5228)
* Fix typo on ide.md (#5239)
* refactor: use defined types (#5225)
* fix(purl): skip local Go packages (#5190)
* docs: update info about license scanning in Yarn projects (#5207)
* fix link (#5203)
* fix(purl): handle rust types (#5186)
* chore: auto-close issues (#5177)
* fix(k8s): kbom support addons labels (#5178)
* test: validate SPDX with the JSON schema (#5124)
* chore: bump trivy-kubernetes-latest (#5161)
* docs: add 'Signature Verification' guide (#4731)
* docs: add image-scanner-with-trivy for ecosystem (#5159)
* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
* Update filtering.md (#5131)
* chaging adopters discussion tempalte (#5091)
* docs: add Bitnami (#5078)
* feat(docker): add support for scanning Bitnami components (#5062)
* feat: add support for .trivyignore.yaml (#5070)
* fix(terraform): improve detection of terraform files (#4984)
* feat: filter artifacts on --exclude-owned flag (#5059)
* fix(sbom): cyclonedx advisory should omit `null` value (#5041)
* build: maximize build space for build tests (#5072)
* feat: improve kbom component name (#5058)
* fix(pom): add licenses for pom artifacts (#5071)
* chore: bump Go to `1.20` (#5067)
* feat: PURL matching with qualifiers in OpenVEX (#5061)
* feat(java): add graph support for pom.xml (#4902)
* feat(swift): add vulns for cocoapods (#5037)
* fix: support image pull secret for additional workloads (#5052)
* fix: #5033 Superfluous double quote in html.tpl (#5036)
* docs(repo): update trivy repo usage and example (#5049)
* perf: Optimize Dockerfile for reduced layers and size (#5038)
* feat: scan K8s Resources Kind with --all-namespaces (#5043)
* fix: vulnerability typo (#5044)
* docs: adding a terraform tutorial to the docs (#3708)
* feat(report): add licenses to sarif format (#4866)
* feat(misconf): show the resource name in the report (#4806)
* chore: update alpine base images (#5015)
* feat: add Package.resolved swift files support (#4932)
* feat(nodejs): parse licenses in yarn projects (#4652)
* fix: k8s private registries support (#5021)
* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
* feat(vuln): support last_affected field from osv (#4944)
* feat(server): add version endpoint (#4869)
* feat: k8s private registries support (#4987)
* fix(server): add indirect prop to package (#4974)
* docs: add coverage (#4954)
* feat(c): add location for lock file dependencies. (#4994)
* docs: adding blog post on ec2 (#4813)
* revert 32bit bins (#4977)
Patchnames
openSUSE-2024-269
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "trivy was updated to fix the following issues:\n\nUpdate to version 0.54.1:\n\n* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)\n* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)\n* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)\n* release: v0.54.0 [main] (#7075)\n* docs: update ecosystem page reporting with plopsec.com app (#7262)\n* feat(vex): retrieve VEX attestations from OCI registries (#7249)\n* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)\n* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)\n* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)\n* chore: show VEX notice for OSS maintainers in CI environments (#7246)\n* feat(vuln): add `--pkg-relationships` (#7237)\n* docs: show VEX cli pages + update config file page for VEX flags (#7244)\n* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)\n* feat(vex): VEX Repository support (#7206)\n* fix(secret): skip regular strings contain secret patterns (#7182)\n* feat: share build-in rules (#7207)\n* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)\n* fix(cli): error on missing config file (#7154)\n* fix(secret): update length of `hugging-face-access-token` (#7216)\n* feat(sbom): add vulnerability support for SPDX formats (#7213)\n* fix(secret): trim excessively long lines (#7192)\n* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)\n* fix(server): pass license categories to options (#7203)\n* feat(mariner): Add support for Azure Linux (#7186)\n* docs: updates config file (#7188)\n* refactor(fs): remove unused field for CompositeFS (#7195)\n* fix: add missing platform and type to spec (#7149)\n* feat(misconf): enabled China configuration for ACRs (#7156)\n* fix: close file when failed to open gzip (#7164)\n* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)\n* docs(misconf): add info about limitations for terraform plan json (#7143)\n* chore: add VEX for Trivy images (#7140)\n* chore: add VEX document and generator for Trivy (#7128)\n* fix(misconf): do not evaluate TF when a load error occurs (#7109)\n* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)\n* refactor(secret): move warning about file size after `IsBinary` check (#7123)\n* feat: add openSUSE tumbleweed detection and scanning (#6965)\n* test: add missing advisory details for integration tests database (#7122)\n* fix: Add dependencyManagement exclusions to the child exclusions (#6969)\n* fix: ignore nodes when listing permission is not allowed (#7107)\n* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)\n* refactor(secret): add warning about large files (#7085)\n* feat(nodejs): add license parser to pnpm analyser (#7036)\n* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)\n* feat: add `log.FilePath()` function for logger (#7080)\n* chore: bump golangci-lint from v1.58 to v1.59 (#7077)\n* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)\n* refactor: pass DB dir to trivy-db (#7057)\n* docs: navigate to the release highlights and summary (#7072)\n\nUpdate to version 0.53.0 (bsc#1227022, CVE-2024-6257):\n* release: v0.53.0 [main] (#6855)\n* feat(conda): add licenses support for `environment.yml` files (#6953)\n* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)\n* feat: add memory cache backend (#7048)\n* fix(sbom): use package UIDs for uniqueness (#7042)\n* feat(php): add installed.json file support (#4865)\n* docs: \u2728 Updated ecosystem docs with reference to new community app (#7041)\n* fix: use embedded when command path not found (#7037)\n* refactor: use google/wire for cache (#7024)\n* fix(cli): show info message only when --scanners is available (#7032)\n* chore: enable float-compare rule from testifylint (#6967)\n* docs: Add sudo on commands, chmod before mv on install docs (#7009)\n* fix(plugin): respect `--insecure` (#7022)\n* feat(k8s)!: node-collector dynamic commands support (#6861)\n* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)\n* feat!: add clean subcommand (#6993)\n* chore: use `!` for breaking changes (#6994)\n* feat(aws)!: Remove aws subcommand (#6995)\n* refactor: replace global cache directory with parameter passing (#6986)\n* fix(sbom): use `purl` for `bitnami` pkg names (#6982)\n* chore: bump Go toolchain version (#6984)\n* refactor: unify cache implementations (#6977)\n* docs: non-packaged and sbom clarifications (#6975)\n* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)\n* docs: delete unknown URL (#6972)\n* refactor: use version-specific URLs for documentation references (#6966)\n* refactor: delete db mock (#6940)\n* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)\n* feat: Add local ImageID to SARIF metadata (#6522)\n* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)\n* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)\n* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)\n* fix(purl): add missed os types (#6955)\n* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)\n* fix(c): don\u0027t skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)\n* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)\n* fix(misconf): handle source prefix to ignore (#6945)\n* fix(misconf): fix parsing of engine links and frameworks (#6937)\n* feat(misconf): support of selectors for all providers for Rego (#6905)\n* fix(license): return license separation using separators `,`, `or`, etc. (#6916)\n* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)\n* BREAKING(misconf): flatten recursive types (#6862)\n* test: bump docker API to 1.45 (#6914)\n* feat(sbom): migrate to `CycloneDX v1.6` (#6903)\n* feat(image): Set User-Agent header for Trivy container registry requests (#6868)\n* fix(debian): take installed files from the origin layer (#6849)\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)\n* feat(misconf): API Gateway V1 support for CloudFormation (#6874)\n* feat(plugin): add support for nested archives (#6845)\n* fix(sbom): don\u0027t overwrite `srcEpoch` when decoding SBOM files (#6866)\n* fix(secret): `Asymmetric Private Key` shouldn\u0027t start with space (#6867)\n* chore: auto label discussions (#5259)\n* docs: explain how VEX is applied (#6864)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n* feat(dart): use first version of constraint for dependencies using SDK version (#6239)\n* fix(misconf): parsing numbers without fraction as int (#6834)\n* fix(misconf): fix caching of modules in subdirectories (#6814)\n* feat(misconf): add metadata to Cloud schema (#6831)\n* test: replace embedded Git repository with dynamically created repository (#6824)\n\nUpdate to version 0.52.2:\n\n* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)\n* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)\n\nUpdate to version 0.52.1:\n\n* release: v0.52.1 [release/v0.52] (#6877)\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)\n* fix(sbom): don\u0027t overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)\n* docs: explain how VEX is applied (#6864)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n\nUpdate to version 0.52.0 (bsc#1224781, CVE-2024-35192):\n\n* release: v0.52.0 [main] (#6809)\n* fix(plugin): initialize logger (#6836)\n* fix(cli): always output fatal errors to stderr (#6827)\n* fix: close testfile (#6830)\n* docs(julia): add scanner table (#6826)\n* feat(python): add license support for `requirement.txt` files (#6782)\n* docs: add more workarounds for out-of-disk (#6821)\n* chore: improve error message for image not found (#6822)\n* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)\n* fix: clean up golangci lint configuration (#6797)\n* fix(python): add package name and version validation for `requirements.txt` files. (#6804)\n* feat(vex): improve relationship support in CSAF VEX (#6735)\n* chore(alpine): add eol date for Alpine 3.20 (#6800)\n* docs(plugin): add missed `plugin` section (#6799)\n* fix: include packages unless it is not needed (#6765)\n* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)\n* chore: replace interface{} with any (#6751)\n* fix: close settings.xml (#6768)\n* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)\n* build: use main package instead of main.go (#6766)\n* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)\n* docs: add info on adding compliance checks (#6275)\n* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)\n* feat(nodejs): add v9 pnpm lock file support (#6617)\n* feat(vex): support non-root components for products in OpenVEX (#6728)\n* feat(python): add line number support for `requirement.txt` files (#6729)\n* chore: respect timeout value in .golangci.yaml (#6724)\n* fix: node-collector high and critical cves (#6707)\n* Merge pull request from GHSA-xcq4-m2r3-cmrj\n* chore: auto-bump golang patch versions (#6711)\n* fix(misconf): don\u0027t shift ignore rule related to code (#6708)\n* feat(plugin): specify plugin version (#6683)\n* chore: enforce golangci-lint version (#6700)\n* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)\n* fix(go): add only non-empty root modules for `gobinaries` (#6710)\n* refactor: unify package addition and vulnerability scanning (#6579)\n* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)\n* feat(misconf): Add support for deprecating a check (#6664)\n* feat: Add Julia language analyzer support (#5635)\n* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)\n* fix(report): hide empty tables if all vulns has been filtered (#6352)\n* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)\n* feat: add support for plugin index (#6674)\n* docs: add support table for client server mode (#6498)\n* fix: close APKINDEX archive file (#6672)\n* fix(misconf): skip Rego errors with a nil location (#6666)\n* refactor: move artifact types under artifact package to avoid import cycles (#6652)\n* refactor(misconf): remove extrafs (#6656)\n* refactor: re-define module structs for serialization (#6655)\n* chore(misconf): Clean up iac logger (#6642)\n* feat(misconf): support symlinks inside of Helm archives (#6621)\n* feat(misconf): add Terraform \u0027removed\u0027 block to schema (#6640)\n* refactor: unify Library and Package structs (#6633)\n* fix: use of specified context to obtain cluster name (#6645)\n* perf(misconf): parse rego input once (#6615)\n* fix(misconf): skip Rego errors with a nil location (#6638)\n* docs: link warning to both timeout config options (#6620)\n* docs: fix usage of image-config-scanners (#6635)\n\nUpdate to version 0.51.1:\n\n* fix(fs): handle default skip dirs properly (#6628)\n* fix(misconf): load cached tf modules (#6607)\n* fix(misconf): do not use semver for parsing tf module versions (#6614)\n* refactor: move setting scanners when using compliance reports to flag parsing (#6619)\n* feat: introduce package UIDs for improved vulnerability mapping (#6583)\n* perf(misconf): Improve cause performance (#6586)\n* docs: trivy-k8s new experiance remove un-used section (#6608)\n* docs: remove mention of GitLab Gold because it doesn\u0027t exist anymore (#6609)\n* feat(misconf): Use updated terminology for misconfiguration checks (#6476)\n* docs: use `generic` link from `trivy-repo` (#6606)\n* docs: update trivy k8s with new experience (#6465)\n* feat: support `--skip-images` scanning flag (#6334)\n* BREAKING: add support for k8s `disable-node-collector` flag (#6311)\n* feat: add ubuntu 23.10 and 24.04 support (#6573)\n* docs(go): add stdlib (#6580)\n* feat(go): parse main mod version from build info settings (#6564)\n* feat: respect custom exit code from plugin (#6584)\n* docs: add asdf and mise installation method (#6063)\n* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)\n* feat: add support `environment.yaml` files (#6569)\n* fix: close plugin.yaml (#6577)\n* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)\n* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)\n* feat(go): add main module (#6574)\n* feat: add relationships (#6563)\n* docs: mention `--show-suppressed` is available in table (#6571)\n* chore: fix sqlite to support loong64 (#6511)\n* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)\n* docs: update info about config file (#6547)\n* docs: remove RELEASE_VERSION from trivy.repo (#6546)\n* fix(sbom): change error to warning for multiple OSes (#6541)\n* fix(vuln): skip empty versions (#6542)\n* feat(c): add license support for conan lock files (#6329)\n* fix(terraform): Attribute and fileset fixes (#6544)\n* refactor: change warning if no vulnerability details are found (#6230)\n* refactor(misconf): improve error handling in the Rego scanner (#6527)\n* feat(go): parse main module of go binary files (#6530)\n* refactor(misconf): simplify the retrieval of module annotations (#6528)\n* docs(nodejs): add info about supported versions of pnpm lock files (#6510)\n* feat(misconf): loading embedded checks as a fallback (#6502)\n* fix(misconf): Parse JSON k8s manifests properly (#6490)\n* refactor: remove parallel walk (#5180)\n* fix: close pom.xml (#6507)\n* fix(secret): convert severity for custom rules (#6500)\n* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)\n* fix: typo (#6283)\n* docs(k8s,image): fix command-line syntax issues (#6403)\n* fix(misconf): avoid panic if the scheme is not valid (#6496)\n* feat(image): goversion as stdlib (#6277)\n* fix: add color for error inside of log message (#6493)\n* docs: fix links to OPA docs (#6480)\n* refactor: replace zap with slog (#6466)\n* docs: update links to IaC schemas (#6477)\n* chore: bump Go to 1.22 (#6075)\n* refactor(terraform): sync funcs with Terraform (#6415)\n* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)\n* fix(terraform): eval submodules (#6411)\n* refactor(terraform): remove unused options (#6446)\n* refactor(terraform): remove unused file (#6445)\n* fix(misconf): Escape template value correctly (#6292)\n* feat(misconf): add support for wildcard ignores (#6414)\n* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)\n* refactor(terraform): remove metrics collection (#6444)\n* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)\n* fix(db): check schema version for image name only (#6410)\n* feat(misconf): Support private registries for misconf check bundle (#6327)\n* feat(cloudformation): inline ignore support for YAML templates (#6358)\n* feat(terraform): ignore resources by nested attributes (#6302)\n* perf(helm): load in-memory files (#6383)\n* feat(aws): apply filter options to result (#6367)\n* feat(aws): quiet flag support (#6331)\n* fix(misconf): clear location URI for SARIF (#6405)\n* test(cloudformation): add CF tests (#6315)\n* fix(cloudformation): infer type after resolving a function (#6406)\n* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)\n* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)\n* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)\n* fix: use `0600` perms for tmp files for post analyzers (#6386)\n* fix(helm): scan the subcharts once (#6382)\n* docs(terraform): add file patterns for Terraform Plan (#6393)\n* fix(terraform): \u0441hecking SSE encryption algorithm validity (#6341)\n* fix(java): parse modules from `pom.xml` files once (#6312)\n* fix(server): add Locations for `Packages` in client/server mode (#6366)\n* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)\n* fix(report): don\u0027t include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)\n* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)\n* feat(java): add support licenses and graph for gradle lock files (#6140)\n* feat(vex): consider root component for relationships (#6313)\n* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)\n* chore: updates wazero to v1.7.0 (#6301)\n* feat(sbom): Support license detection for SBOM scan (#6072)\n* refactor(sbom): use intermediate representation for SPDX (#6310)\n* docs(terraform): improve documentation for filtering by inline comments (#6284)\n* fix(terraform): fix policy document retrieval (#6276)\n* refactor(terraform): remove unused custom error (#6303)\n* refactor(sbom): add intermediate representation for BOM (#6240)\n* fix(amazon): check only major version of AL to find advisories (#6295)\n* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)\n* fix(nodejs): add name validation for package name from `package.json` (#6268)\n* docs: Added install instructions for FreeBSD (#6293)\n* feat(image): customer podman host or socket option (#6256)\n* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)\n* fix(license): reorder logic of how python package licenses are acquired (#6220)\n* test(terraform): skip cached modules (#6281)\n* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)\n* fix(cloudformation): support of all SSE algorithms for s3 (#6270)\n* feat(terraform): Terraform Plan snapshot scanning support (#6176)\n* fix: typo function name and comment optimization (#6200)\n* fix(java): don\u0027t ignore runtime scope for pom.xml files (#6223)\n* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)\n* test(k8s): use test-db for k8s integration tests (#6222)\n* fix(terraform): fix root module search (#6160)\n* test(parser): squash test data for yarn (#6203)\n* fix(terraform): do not re-expand dynamic blocks (#6151)\n* docs: update ecosystem page reporting with db app (#6201)\n* fix: k8s summary separate infra and user finding results (#6120)\n* fix: add context to target finding on k8s table view (#6099)\n* fix: Printf format err (#6198)\n* refactor: better integration of the parser into Trivy (#6183)\n* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)\n* fix(vex): CSAF filtering should consider relationships (#5923)\n* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)\n* feat(vuln): ignore vulnerabilities by PURL (#6178)\n* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)\n* feat(k8s): rancher rke2 version support (#5988)\n* docs: update kbom distribution for scanning (#6019)\n* chore: update CODEOWNERS (#6173)\n* fix(swift): try to use branch to resolve version (#6168)\n* fix(terraform): ensure consistent path handling across OS (#6161)\n* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)\n* fix(sbom): skip executable file analysis if Rekor isn\u0027t a specified SBOM source (#6163)\n* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)\n* docs: update template path for gitlab-ci tutorial (#6144)\n* feat(report): support for filtering licenses and secrets via rego policy files (#6004)\n* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)\n* docs: add SecObserve in CI/CD and reporting (#6139)\n* fix(alpine): exclude empty licenses for apk packages (#6130)\n* docs: add docs tutorial on custom policies with rego (#6104)\n* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)\n* feat(vuln): show suppressed vulnerabilities in table (#6084)\n* docs: rename governance to principles (#6107)\n* docs: add governance (#6090)\n* feat(java): add dependency location support for `gradle` files (#6083)\n* fix(misconf): get `user` from `Config.User` (#6070)\n\nUpdate to version 0.49.1:\n\n* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)\n* docs: Fix broken link to \u0027pronunciation\u0027 (#6057)\n* fix: fix cursor usage in Redis Clear function (#6056)\n* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)\n* test: fix flaky `TestDockerEngine` (#6054)\n* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)\n* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)\n* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)\n* docs: add note about Bun (#6001)\n* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)\n* fix: check returned error before deferring f.Close() (#6007)\n* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)\n* feat(vuln): enable `--vex` for all targets (#5992)\n* docs: update link to data sources (#6000)\n* feat(java): add support for line numbers for pom.xml files (#5991)\n* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)\n* docs: Update troubleshooting guide with image not found error (#5983)\n* style: update band logos (#5968)\n* docs: update cosign tutorial and commands, update kyverno policy (#5929)\n* docs: update command to scan go binary (#5969)\n* fix: handle non-parsable images names (#5965)\n* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)\n* fix(alpine): Add EOL support for alpine 3.19. (#5938)\n* feat: allow end-users to adjust K8S client QPS and burst (#5910)\n* fix(nodejs): find licenses for packages with slash (#5836)\n* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)\n* fix: ignore no init containers (#5939)\n* docs: Fix documentation of ecosystem (#5940)\n* docs(misconf): multiple ignores in comment (#5926)\n* fix(secret): find aws secrets ending with a comma or dot (#5921)\n* docs: \u2728 Updated ecosystem docs with reference to new community app (#5918)\n* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)\n* feat(vex): add PURL matching for CSAF VEX (#5890)\n* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)\n* revert(report): don\u0027t escape new line characters for sarif format (#5897)\n* docs: improve filter by rego (#5402)\n* docs: add_scan2html_to_trivy_ecosystem (#5875)\n* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)\n* feat(vex): Add support for CSAF format (#5535)\n* feat(python): parse licenses from dist-info folder (#4724)\n* feat(nodejs): add yarn alias support (#5818)\n* refactor: propagate time through context values (#5858)\n* refactor: move PkgRef under PkgIdentifier (#5831)\n* fix(cyclonedx): fix unmarshal for licenses (#5828)\n* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)\n\nUpdate to version 0.48.1:\n\n* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)\n* refactor(sbom): disable html escaping for CycloneDX (#5764)\n* refactor(purl): use `pub` from `package-url` (#5784)\n* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)\n* fix(report): use OS information for OS packages purl in `github` template (#5783)\n* fix(report): fix error if miconfigs are empty (#5782)\n* refactor(vuln): don\u0027t remove VendorSeverity in JSON report (#5761)\n* fix(report): don\u0027t mark misconfig passed tests as failed in junit.tpl (#5767)\n* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)\n* fix(report): update Gitlab template (#5721)\n* feat(secret): add support of GitHub fine-grained tokens (#5740)\n* fix(misconf): add an image misconf to result (#5731)\n* feat(secret): added support of Docker registry credentials (#5720)\n\nUpdate to version 0.48.0:\n\n* feat: filter k8s core components vuln results (#5713)\n* feat(vuln): remove duplicates in Fixed Version (#5596)\n* feat(report): output plugin (#4863)\n* docs: typo in modules.md (#5712)\n* feat: Add flag to configure node-collector image ref (#5710)\n* feat(misconf): Add `--misconfig-scanners` option (#5670)\n* chore: bump Go to 1.21 (#5662)\n* feat: Packagesprops support (#5605)\n* docs: update adopters discussion template (#5632)\n* docs: terraform tutorial links updated to point to correct loc (#5661)\n* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)\n* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)\n* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)\n* docs: Update Arch Linux package URL in installation.md (#5619)\n* chore: add prefix to image errors (#5601)\n* docs(vuln): fix link anchor (#5606)\n* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)\n* fix: k8s friendly error messages kbom non cluster scans (#5594)\n* feat: set InstalledFiles for DEB and RPM packages (#5488)\n* fix(report): use time.Time for CreatedAt (#5598)\n* test: retry containerd initialization (#5597)\n* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)\n* test: mock VM walker (#5589)\n* chore: bump node-collector v0.0.9 (#5591)\n* feat(misconf): Add support for `--cf-params` for CFT (#5507)\n* feat(flag): replace \u0027--slow\u0027 with \u0027--parallel\u0027 (#5572)\n* fix(report): add escaping for Sarif format (#5568)\n* chore: show a deprecation notice for `--scanners config` (#5587)\n* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)\n* test: mock RPM DB (#5567)\n* feat: add aliases to \u0027--scanners\u0027 (#5558)\n* refactor: reintroduce output writer (#5564)\n* chore: not load plugins for auto-generating docs (#5569)\n* chore: sort supported AWS services (#5570)\n* fix: no schedule toleration (#5562)\n* fix(cli): set correct `scanners` for `k8s` target (#5561)\n* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)\n* refactor(misconf): Update refactored dependencies (#5245)\n* feat(secret): add built-in rule for JWT tokens (#5480)\n* fix: trivy k8s parse ecr image with arn (#5537)\n* fix: fail k8s resource scanning (#5529)\n* refactor(misconf): don\u0027t remove Highlighted in json format (#5531)\n* docs(k8s): fix link in kubernetes.md (#5524)\n* docs(k8s): fix whitespace in list syntax (#5525)\n\nUpdate to version 0.47.0:\n\n* docs: add info that license scanning supports file-patterns flag (#5484)\n* docs: add Zora integration into Ecosystem session (#5490)\n* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)\n* fix: correct error mismatch causing race in fast walks (#5516)\n* docs: k8s vulnerability scanning (#5515)\n* docs: remove glad for java datasources (#5508)\n* chore: remove unused logger attribute in amazon detector (#5476)\n* fix: correct error mismatch causing race in fast walks (#5482)\n* fix(server): add licenses to `BlobInfo` message (#5382)\n* feat: scan vulns on k8s core component apps (#5418)\n* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)\n* fix(sbom): save digests for package/application when scanning SBOM files (#5432)\n* docs: fix the broken link (#5454)\n* docs: fix error when installing `PyYAML` for gh pages (#5462)\n* fix(java): download java-db once (#5442)\n* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)\n* feat(misconf): Support `--ignore-policy` in config scans (#5359)\n* docs(misconf): fix broken table for `Use container image` section (#5425)\n* feat(dart): add graph support (#5374)\n* refactor: define a new struct for scan targets (#5397)\n* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)\n* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)\n* docs: remove --scanners none (#5384)\n* docs: Update container_image.md #5182 (#5193)\n* feat(report): Add `InstalledFiles` field to Package (#4706)\n* feat(k8s): add support for vulnerability detection (#5268)\n* fix(python): override BOM in `requirements.txt` files (#5375)\n* docs: add kbom documentation (#5363)\n* test: use maximize build space for VM tests (#5362)\n* fix(report): add escaping quotes in misconfig Title for asff template (#5351)\n* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)\n* fix: add config files to FS for post-analyzers (#5333)\n* fix: fix MIME warnings after updating to Go 1.20 (#5336)\n* build: fix a compile error with Go 1.21 (#5339)\n* feat: added `Metadata` into the k8s resource\u0027s scan report (#5322)\n* chore: update adopters template (#5330)\n* fix(sbom): use PURL or Group and Name in case of Java (#5154)\n* docs: add buildkite repository to ecosystem page (#5316)\n* chore: enable go-critic (#5302)\n* close java-db client (#5273)\n* fix(report): removes git::http from uri in sarif (#5244)\n* Improve the meaning of sentence (#5301)\n* add app nil check (#5274)\n* typo: in secret.md (#5281)\n* docs: add info about `github` format (#5265)\n* feat(dotnet): add license support for NuGet (#5217)\n* docs: correctly export variables (#5260)\n* chore: Add line numbers for lint output (#5247)\n* chore(cli): disable java-db flags in server mode (#5263)\n* feat(db): allow passing registry options (#5226)\n* refactor(purl): use TypeApk from purl (#5232)\n* chore: enable more linters (#5228)\n* Fix typo on ide.md (#5239)\n* refactor: use defined types (#5225)\n* fix(purl): skip local Go packages (#5190)\n* docs: update info about license scanning in Yarn projects (#5207)\n* fix link (#5203)\n* fix(purl): handle rust types (#5186)\n* chore: auto-close issues (#5177)\n* fix(k8s): kbom support addons labels (#5178)\n* test: validate SPDX with the JSON schema (#5124)\n* chore: bump trivy-kubernetes-latest (#5161)\n* docs: add \u0027Signature Verification\u0027 guide (#4731)\n* docs: add image-scanner-with-trivy for ecosystem (#5159)\n* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)\n* Update filtering.md (#5131)\n* chaging adopters discussion tempalte (#5091)\n* docs: add Bitnami (#5078)\n* feat(docker): add support for scanning Bitnami components (#5062)\n* feat: add support for .trivyignore.yaml (#5070)\n* fix(terraform): improve detection of terraform files (#4984)\n* feat: filter artifacts on --exclude-owned flag (#5059)\n* fix(sbom): cyclonedx advisory should omit `null` value (#5041)\n* build: maximize build space for build tests (#5072)\n* feat: improve kbom component name (#5058)\n* fix(pom): add licenses for pom artifacts (#5071)\n* chore: bump Go to `1.20` (#5067)\n* feat: PURL matching with qualifiers in OpenVEX (#5061)\n* feat(java): add graph support for pom.xml (#4902)\n* feat(swift): add vulns for cocoapods (#5037)\n* fix: support image pull secret for additional workloads (#5052)\n* fix: #5033 Superfluous double quote in html.tpl (#5036)\n* docs(repo): update trivy repo usage and example (#5049)\n* perf: Optimize Dockerfile for reduced layers and size (#5038)\n* feat: scan K8s Resources Kind with --all-namespaces (#5043)\n* fix: vulnerability typo (#5044)\n* docs: adding a terraform tutorial to the docs (#3708)\n* feat(report): add licenses to sarif format (#4866)\n* feat(misconf): show the resource name in the report (#4806)\n* chore: update alpine base images (#5015)\n* feat: add Package.resolved swift files support (#4932)\n* feat(nodejs): parse licenses in yarn projects (#4652)\n* fix: k8s private registries support (#5021)\n* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)\n* feat(vuln): support last_affected field from osv (#4944)\n* feat(server): add version endpoint (#4869)\n* feat: k8s private registries support (#4987)\n* fix(server): add indirect prop to package (#4974)\n* docs: add coverage (#4954)\n* feat(c): add location for lock file dependencies. (#4994)\n* docs: adding blog post on ec2 (#4813)\n* revert 32bit bins (#4977)\n\t ",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-269",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0269-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0269-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OQ7DWO7D4FBUA7VBLBTF3YWOOT4647TB/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0269-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OQ7DWO7D4FBUA7VBLBTF3YWOOT4647TB/"
},
{
"category": "self",
"summary": "SUSE Bug 1224781",
"url": "https://bugzilla.suse.com/1224781"
},
{
"category": "self",
"summary": "SUSE Bug 1227022",
"url": "https://bugzilla.suse.com/1227022"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35192 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35192/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6257 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6257/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2024-08-30T08:00:45Z",
"generator": {
"date": "2024-08-30T08:00:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0269-1",
"initial_release_date": "2024-08-30T08:00:45Z",
"revision_history": [
{
"date": "2024-08-30T08:00:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp156.2.3.1.aarch64",
"product": {
"name": "trivy-0.54.1-bp156.2.3.1.aarch64",
"product_id": "trivy-0.54.1-bp156.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp156.2.3.1.i586",
"product": {
"name": "trivy-0.54.1-bp156.2.3.1.i586",
"product_id": "trivy-0.54.1-bp156.2.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp156.2.3.1.ppc64le",
"product": {
"name": "trivy-0.54.1-bp156.2.3.1.ppc64le",
"product_id": "trivy-0.54.1-bp156.2.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp156.2.3.1.s390x",
"product": {
"name": "trivy-0.54.1-bp156.2.3.1.s390x",
"product_id": "trivy-0.54.1-bp156.2.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.54.1-bp156.2.3.1.x86_64",
"product": {
"name": "trivy-0.54.1-bp156.2.3.1.x86_64",
"product_id": "trivy-0.54.1-bp156.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.54.1-bp156.2.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
},
"product_reference": "trivy-0.54.1-bp156.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:45Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2024-35192",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35192"
}
],
"notes": [
{
"category": "general",
"text": "Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. Systems are not affected if the default credential provider chain is unable to obtain valid credentials. This vulnerability only applies when scanning container images directly from a registry. This vulnerability is fixed in 0.51.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35192",
"url": "https://www.suse.com/security/cve/CVE-2024-35192"
},
{
"category": "external",
"summary": "SUSE Bug 1224781 for CVE-2024-35192",
"url": "https://bugzilla.suse.com/1224781"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:45Z",
"details": "low"
}
],
"title": "CVE-2024-35192"
},
{
"cve": "CVE-2024-6257",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6257"
}
],
"notes": [
{
"category": "general",
"text": "HashiCorp\u0027s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6257",
"url": "https://www.suse.com/security/cve/CVE-2024-6257"
},
{
"category": "external",
"summary": "SUSE Bug 1227011 for CVE-2024-6257",
"url": "https://bugzilla.suse.com/1227011"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.aarch64",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.i586",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.s390x",
"SUSE Package Hub 15 SP6:trivy-0.54.1-bp156.2.3.1.x86_64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.aarch64",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.i586",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.ppc64le",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.s390x",
"openSUSE Leap 15.6:trivy-0.54.1-bp156.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-08-30T08:00:45Z",
"details": "important"
}
],
"title": "CVE-2024-6257"
}
]
}
SUSE-SU-2025:03271-2
Vulnerability from csaf_suse - Published: 2025-09-23 14:03 - Updated: 2025-09-23 14:03Summary
Security update for busybox, busybox-links
Notes
Title of the patch
Security update for busybox, busybox-links
Description of the patch
This update for busybox, busybox-links fixes the following issues:
Updated to version 1.37.0 (jsc#PED-13039):
- CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)
- CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)
- CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)
Other fixes:
- fix generation of file lists via Dockerfile
- add copy of busybox.links from the container to catch changes
to busybox config
- Blacklist creating links for halt, reboot, shutdown commands to avoid accidental
use in a fully booted system (bsc#1243201)
- Add getfattr applet to attr filelist
- busybox-udhcpc conflicts with udhcp.
- Add new sub-package for udhcpc
- zgrep: don't set the label option as only the real grep
supports it (bsc#1215943)
- Add conflict for coreutils-systemd, package got splitted
- Check in filelists instead of buildrequiring all non-busybox utils
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
- Create sub-package 'hexedit' [bsc#1203399]
- Create sub-package 'sha3sum' [bsc#1203397]
- Drop update-alternatives support
- Add provides smtp_daemon to busybox-sendmail
- Add conflicts: mawk to busybox-gawk
- fix mkdir path to point to /usr/bin instead of /bin
- add placeholder variable and ignore applet logic to busybox.install
- enable halt, poweroff, reboot commands (bsc#1243201)
- Fully enable udhcpc and document that this tool needs special
configuration and does not work out of the box [bsc#1217883]
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
Patchnames
SUSE-2025-3271,openSUSE-SLE-15.6-2025-3271
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for busybox, busybox-links",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for busybox, busybox-links fixes the following issues:\n\nUpdated to version 1.37.0 (jsc#PED-13039):\n\n - CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)\n - CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)\n - CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)\n\nOther fixes:\n\n - fix generation of file lists via Dockerfile \n - add copy of busybox.links from the container to catch changes\n to busybox config\n - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental\n use in a fully booted system (bsc#1243201) \n - Add getfattr applet to attr filelist\n - busybox-udhcpc conflicts with udhcp.\n - Add new sub-package for udhcpc\n - zgrep: don\u0027t set the label option as only the real grep\n supports it (bsc#1215943)\n - Add conflict for coreutils-systemd, package got splitted\n - Check in filelists instead of buildrequiring all non-busybox utils\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n - Create sub-package \u0027hexedit\u0027 [bsc#1203399]\n - Create sub-package \u0027sha3sum\u0027 [bsc#1203397]\n - Drop update-alternatives support\n - Add provides smtp_daemon to busybox-sendmail\n - Add conflicts: mawk to busybox-gawk\n - fix mkdir path to point to /usr/bin instead of /bin\n - add placeholder variable and ignore applet logic to busybox.install \n - enable halt, poweroff, reboot commands (bsc#1243201) \n - Fully enable udhcpc and document that this tool needs special\n configuration and does not work out of the box [bsc#1217883]\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3271,openSUSE-SLE-15.6-2025-3271",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03271-2.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03271-2",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503271-2/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03271-2",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041812.html"
},
{
"category": "self",
"summary": "SUSE Bug 1203397",
"url": "https://bugzilla.suse.com/1203397"
},
{
"category": "self",
"summary": "SUSE Bug 1203399",
"url": "https://bugzilla.suse.com/1203399"
},
{
"category": "self",
"summary": "SUSE Bug 1206798",
"url": "https://bugzilla.suse.com/1206798"
},
{
"category": "self",
"summary": "SUSE Bug 1215943",
"url": "https://bugzilla.suse.com/1215943"
},
{
"category": "self",
"summary": "SUSE Bug 1217580",
"url": "https://bugzilla.suse.com/1217580"
},
{
"category": "self",
"summary": "SUSE Bug 1217584",
"url": "https://bugzilla.suse.com/1217584"
},
{
"category": "self",
"summary": "SUSE Bug 1217585",
"url": "https://bugzilla.suse.com/1217585"
},
{
"category": "self",
"summary": "SUSE Bug 1217883",
"url": "https://bugzilla.suse.com/1217883"
},
{
"category": "self",
"summary": "SUSE Bug 1239176",
"url": "https://bugzilla.suse.com/1239176"
},
{
"category": "self",
"summary": "SUSE Bug 1243201",
"url": "https://bugzilla.suse.com/1243201"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42364 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42364/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42365 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42365/"
}
],
"title": "Security update for busybox, busybox-links",
"tracking": {
"current_release_date": "2025-09-23T14:03:30Z",
"generator": {
"date": "2025-09-23T14:03:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03271-2",
"initial_release_date": "2025-09-23T14:03:30Z",
"revision_history": [
{
"date": "2025-09-23T14:03:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-static-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-static-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-adduser-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-attr-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bzip2-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-coreutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-cpio-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-diffutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-ed-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-findutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-gawk-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-grep-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-gzip-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-hexedit-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-hostname-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-iproute2-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-iputils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-kbd-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-kmod-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-less-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-less-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-less-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-links-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-links-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-links-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-man-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-man-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-man-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-misc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-net-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-netcat-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-patch-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-procps-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-psmisc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sed-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sendmail-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sh-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sharutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-syslogd-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tar-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-telnet-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tftp-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-time-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-time-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-time-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-traceroute-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tunctl-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-unzip-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-util-linux-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-vi-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-vlan-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-wget-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-which-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-which-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-which-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-whois-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-xz-1.37.0-150500.7.7.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-1.37.0-150500.10.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-static-1.37.0-150500.10.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-1.37.0-150500.10.11.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-static-1.37.0-150500.10.11.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-static-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-less-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-less-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-links-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-links-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-man-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-man-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-time-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-time-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-which-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-which-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42364"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42364",
"url": "https://www.suse.com/security/cve/CVE-2023-42364"
},
{
"category": "external",
"summary": "SUSE Bug 1217584 for CVE-2023-42364",
"url": "https://bugzilla.suse.com/1217584"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42365"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42365",
"url": "https://www.suse.com/security/cve/CVE-2023-42365"
},
{
"category": "external",
"summary": "SUSE Bug 1217585 for CVE-2023-42365",
"url": "https://bugzilla.suse.com/1217585"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42365"
}
]
}
SUSE-SU-2025:03205-1
Vulnerability from csaf_suse - Published: 2025-09-12 15:57 - Updated: 2025-09-12 15:57Summary
Security update for busybox, busybox-links
Notes
Title of the patch
Security update for busybox, busybox-links
Description of the patch
This update for busybox, busybox-links fixes the following issues:
Updated to version 1.37.0 (jsc#PED-13039):
- CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)
- CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)
- CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)
Other fixes:
- fix generation of file lists via Dockerfile
- add copy of busybox.links from the container to catch changes
to busybox config
- Blacklist creating links for halt, reboot, shutdown commands to avoid accidental
use in a fully booted system (bsc#1243201)
- Add getfattr applet to attr filelist
- busybox-udhcpc conflicts with udhcp.
- Add new sub-package for udhcpc
- zgrep: don't set the label option as only the real grep
supports it (bsc#1215943)
- Add conflict for coreutils-systemd, package got splitted
- Check in filelists instead of buildrequiring all non-busybox utils
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
- Create sub-package 'hexedit' [bsc#1203399]
- Create sub-package 'sha3sum' [bsc#1203397]
- Drop update-alternatives support
- Add provides smtp_daemon to busybox-sendmail
- Add conflicts: mawk to busybox-gawk
- fix mkdir path to point to /usr/bin instead of /bin
- add placeholder variable and ignore applet logic to busybox.install
- enable halt, poweroff, reboot commands (bsc#1243201)
- Fully enable udhcpc and document that this tool needs special
configuration and does not work out of the box [bsc#1217883]
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
Patchnames
SUSE-2025-3205,SUSE-SLE-Module-Basesystem-15-SP7-2025-3205
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for busybox, busybox-links",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for busybox, busybox-links fixes the following issues:\n\nUpdated to version 1.37.0 (jsc#PED-13039):\n - CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)\n - CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)\n - CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)\n\nOther fixes:\n - fix generation of file lists via Dockerfile \n - add copy of busybox.links from the container to catch changes\n to busybox config\n - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental\n use in a fully booted system (bsc#1243201) \n - Add getfattr applet to attr filelist\n - busybox-udhcpc conflicts with udhcp.\n - Add new sub-package for udhcpc\n - zgrep: don\u0027t set the label option as only the real grep\n supports it (bsc#1215943)\n - Add conflict for coreutils-systemd, package got splitted\n - Check in filelists instead of buildrequiring all non-busybox utils\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n - Create sub-package \u0027hexedit\u0027 [bsc#1203399]\n - Create sub-package \u0027sha3sum\u0027 [bsc#1203397]\n - Drop update-alternatives support\n - Add provides smtp_daemon to busybox-sendmail\n - Add conflicts: mawk to busybox-gawk\n - fix mkdir path to point to /usr/bin instead of /bin\n - add placeholder variable and ignore applet logic to busybox.install \n - enable halt, poweroff, reboot commands (bsc#1243201) \n - Fully enable udhcpc and document that this tool needs special\n configuration and does not work out of the box [bsc#1217883]\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3205,SUSE-SLE-Module-Basesystem-15-SP7-2025-3205",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03205-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03205-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503205-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03205-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041682.html"
},
{
"category": "self",
"summary": "SUSE Bug 1203397",
"url": "https://bugzilla.suse.com/1203397"
},
{
"category": "self",
"summary": "SUSE Bug 1203399",
"url": "https://bugzilla.suse.com/1203399"
},
{
"category": "self",
"summary": "SUSE Bug 1206798",
"url": "https://bugzilla.suse.com/1206798"
},
{
"category": "self",
"summary": "SUSE Bug 1215943",
"url": "https://bugzilla.suse.com/1215943"
},
{
"category": "self",
"summary": "SUSE Bug 1217580",
"url": "https://bugzilla.suse.com/1217580"
},
{
"category": "self",
"summary": "SUSE Bug 1217584",
"url": "https://bugzilla.suse.com/1217584"
},
{
"category": "self",
"summary": "SUSE Bug 1217585",
"url": "https://bugzilla.suse.com/1217585"
},
{
"category": "self",
"summary": "SUSE Bug 1217883",
"url": "https://bugzilla.suse.com/1217883"
},
{
"category": "self",
"summary": "SUSE Bug 1243201",
"url": "https://bugzilla.suse.com/1243201"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42364 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42364/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42365 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42365/"
}
],
"title": "Security update for busybox, busybox-links",
"tracking": {
"current_release_date": "2025-09-12T15:57:30Z",
"generator": {
"date": "2025-09-12T15:57:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03205-1",
"initial_release_date": "2025-09-12T15:57:30Z",
"revision_history": [
{
"date": "2025-09-12T15:57:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150700.18.4.1.aarch64",
"product": {
"name": "busybox-1.37.0-150700.18.4.1.aarch64",
"product_id": "busybox-1.37.0-150700.18.4.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150700.18.4.1.aarch64",
"product": {
"name": "busybox-static-1.37.0-150700.18.4.1.aarch64",
"product_id": "busybox-static-1.37.0-150700.18.4.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150700.18.4.1.aarch64",
"product": {
"name": "busybox-testsuite-1.37.0-150700.18.4.1.aarch64",
"product_id": "busybox-testsuite-1.37.0-150700.18.4.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.aarch64",
"product": {
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.aarch64",
"product_id": "busybox-warewulf3-1.37.0-150700.18.4.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150700.18.4.1.i586",
"product": {
"name": "busybox-1.37.0-150700.18.4.1.i586",
"product_id": "busybox-1.37.0-150700.18.4.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150700.18.4.1.i586",
"product": {
"name": "busybox-static-1.37.0-150700.18.4.1.i586",
"product_id": "busybox-static-1.37.0-150700.18.4.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150700.18.4.1.i586",
"product": {
"name": "busybox-testsuite-1.37.0-150700.18.4.1.i586",
"product_id": "busybox-testsuite-1.37.0-150700.18.4.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.i586",
"product": {
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.i586",
"product_id": "busybox-warewulf3-1.37.0-150700.18.4.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-adduser-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-adduser-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-adduser-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-attr-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-attr-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-attr-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bc-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-bc-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-bc-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bind-utils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-bind-utils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-bind-utils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bzip2-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-bzip2-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-bzip2-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-coreutils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-coreutils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-coreutils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-cpio-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-cpio-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-cpio-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-diffutils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-diffutils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-diffutils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-dos2unix-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-dos2unix-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-dos2unix-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ed-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-ed-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-ed-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-findutils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-findutils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-findutils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gawk-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-gawk-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-gawk-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-grep-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-grep-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-grep-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gzip-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-gzip-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-gzip-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hexedit-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-hexedit-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-hexedit-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hostname-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-hostname-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-hostname-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iproute2-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-iproute2-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-iproute2-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iputils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-iputils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-iputils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kbd-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-kbd-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-kbd-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kmod-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-kmod-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-kmod-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-less-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-less-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-less-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-links-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-links-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-links-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-man-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-man-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-man-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-misc-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-misc-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-misc-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ncurses-utils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-ncurses-utils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-ncurses-utils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-net-tools-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-net-tools-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-net-tools-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-netcat-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-netcat-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-netcat-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-patch-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-patch-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-patch-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-policycoreutils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-policycoreutils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-policycoreutils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-procps-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-procps-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-procps-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-psmisc-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-psmisc-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-psmisc-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sed-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sed-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sed-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-selinux-tools-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-selinux-tools-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-selinux-tools-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sendmail-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sendmail-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sendmail-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sh-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sh-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sh-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sha3sum-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sha3sum-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sha3sum-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sharutils-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sharutils-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sharutils-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-syslogd-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-syslogd-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-syslogd-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sysvinit-tools-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-sysvinit-tools-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-sysvinit-tools-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tar-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-tar-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-tar-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-telnet-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-telnet-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-telnet-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tftp-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-tftp-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-tftp-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-time-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-time-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-time-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-traceroute-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-traceroute-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-traceroute-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tunctl-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-tunctl-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-tunctl-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-udhcpc-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-udhcpc-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-udhcpc-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-unzip-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-unzip-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-unzip-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-util-linux-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-util-linux-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-util-linux-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vi-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-vi-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-vi-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vlan-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-vlan-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-vlan-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-wget-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-wget-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-wget-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-which-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-which-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-which-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-whois-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-whois-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-whois-1.37.0-150700.12.3.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-xz-1.37.0-150700.12.3.2.noarch",
"product": {
"name": "busybox-xz-1.37.0-150700.12.3.2.noarch",
"product_id": "busybox-xz-1.37.0-150700.12.3.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150700.18.4.1.ppc64le",
"product": {
"name": "busybox-1.37.0-150700.18.4.1.ppc64le",
"product_id": "busybox-1.37.0-150700.18.4.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150700.18.4.1.ppc64le",
"product": {
"name": "busybox-static-1.37.0-150700.18.4.1.ppc64le",
"product_id": "busybox-static-1.37.0-150700.18.4.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150700.18.4.1.ppc64le",
"product": {
"name": "busybox-testsuite-1.37.0-150700.18.4.1.ppc64le",
"product_id": "busybox-testsuite-1.37.0-150700.18.4.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150700.18.4.1.s390x",
"product": {
"name": "busybox-1.37.0-150700.18.4.1.s390x",
"product_id": "busybox-1.37.0-150700.18.4.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150700.18.4.1.s390x",
"product": {
"name": "busybox-static-1.37.0-150700.18.4.1.s390x",
"product_id": "busybox-static-1.37.0-150700.18.4.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150700.18.4.1.s390x",
"product": {
"name": "busybox-testsuite-1.37.0-150700.18.4.1.s390x",
"product_id": "busybox-testsuite-1.37.0-150700.18.4.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150700.18.4.1.x86_64",
"product": {
"name": "busybox-1.37.0-150700.18.4.1.x86_64",
"product_id": "busybox-1.37.0-150700.18.4.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150700.18.4.1.x86_64",
"product": {
"name": "busybox-static-1.37.0-150700.18.4.1.x86_64",
"product_id": "busybox-static-1.37.0-150700.18.4.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150700.18.4.1.x86_64",
"product": {
"name": "busybox-testsuite-1.37.0-150700.18.4.1.x86_64",
"product_id": "busybox-testsuite-1.37.0-150700.18.4.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.x86_64",
"product": {
"name": "busybox-warewulf3-1.37.0-150700.18.4.1.x86_64",
"product_id": "busybox-warewulf3-1.37.0-150700.18.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150700.18.4.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64"
},
"product_reference": "busybox-1.37.0-150700.18.4.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150700.18.4.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150700.18.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150700.18.4.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x"
},
"product_reference": "busybox-1.37.0-150700.18.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150700.18.4.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64"
},
"product_reference": "busybox-1.37.0-150700.18.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150700.18.4.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150700.18.4.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150700.18.4.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150700.18.4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150700.18.4.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x"
},
"product_reference": "busybox-static-1.37.0-150700.18.4.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150700.18.4.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150700.18.4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-12T15:57:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42364"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42364",
"url": "https://www.suse.com/security/cve/CVE-2023-42364"
},
{
"category": "external",
"summary": "SUSE Bug 1217584 for CVE-2023-42364",
"url": "https://bugzilla.suse.com/1217584"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-12T15:57:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42365"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42365",
"url": "https://www.suse.com/security/cve/CVE-2023-42365"
},
{
"category": "external",
"summary": "SUSE Bug 1217585 for CVE-2023-42365",
"url": "https://bugzilla.suse.com/1217585"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.4.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-12T15:57:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42365"
}
]
}
SUSE-SU-2025:03271-1
Vulnerability from csaf_suse - Published: 2025-09-23 14:03 - Updated: 2025-09-23 14:03Summary
Security update for busybox, busybox-links
Notes
Title of the patch
Security update for busybox, busybox-links
Description of the patch
This update for busybox, busybox-links fixes the following issues:
Updated to version 1.37.0 (jsc#PED-13039):
- CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)
- CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)
- CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)
Other fixes:
- fix generation of file lists via Dockerfile
- add copy of busybox.links from the container to catch changes
to busybox config
- Blacklist creating links for halt, reboot, shutdown commands to avoid accidental
use in a fully booted system (bsc#1243201)
- Add getfattr applet to attr filelist
- busybox-udhcpc conflicts with udhcp.
- Add new sub-package for udhcpc
- zgrep: don't set the label option as only the real grep
supports it (bsc#1215943)
- Add conflict for coreutils-systemd, package got splitted
- Check in filelists instead of buildrequiring all non-busybox utils
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
- Create sub-package 'hexedit' [bsc#1203399]
- Create sub-package 'sha3sum' [bsc#1203397]
- Drop update-alternatives support
- Add provides smtp_daemon to busybox-sendmail
- Add conflicts: mawk to busybox-gawk
- fix mkdir path to point to /usr/bin instead of /bin
- add placeholder variable and ignore applet logic to busybox.install
- enable halt, poweroff, reboot commands (bsc#1243201)
- Fully enable udhcpc and document that this tool needs special
configuration and does not work out of the box [bsc#1217883]
- Replace transitional %usrmerged macro with regular version check (bsc#1206798)
Patchnames
SUSE-2025-3271,SUSE-SLE-Module-Basesystem-15-SP6-2025-3271,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-3271,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-3271,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-3271,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-3271,openSUSE-SLE-15.6-2025-3271
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for busybox, busybox-links",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for busybox, busybox-links fixes the following issues:\n\nUpdated to version 1.37.0 (jsc#PED-13039):\n\n - CVE-2023-42363: Fixed use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580)\n - CVE-2023-42364: Fixed use-after-free in the awk.c evaluate function (bsc#1217584)\n - CVE-2023-42365: Fixed use-after-free in the awk.c copyvar function (bsc#1217585)\n\nOther fixes:\n\n - fix generation of file lists via Dockerfile \n - add copy of busybox.links from the container to catch changes\n to busybox config\n - Blacklist creating links for halt, reboot, shutdown commands to avoid accidental\n use in a fully booted system (bsc#1243201) \n - Add getfattr applet to attr filelist\n - busybox-udhcpc conflicts with udhcp.\n - Add new sub-package for udhcpc\n - zgrep: don\u0027t set the label option as only the real grep\n supports it (bsc#1215943)\n - Add conflict for coreutils-systemd, package got splitted\n - Check in filelists instead of buildrequiring all non-busybox utils\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n - Create sub-package \u0027hexedit\u0027 [bsc#1203399]\n - Create sub-package \u0027sha3sum\u0027 [bsc#1203397]\n - Drop update-alternatives support\n - Add provides smtp_daemon to busybox-sendmail\n - Add conflicts: mawk to busybox-gawk\n - fix mkdir path to point to /usr/bin instead of /bin\n - add placeholder variable and ignore applet logic to busybox.install \n - enable halt, poweroff, reboot commands (bsc#1243201) \n - Fully enable udhcpc and document that this tool needs special\n configuration and does not work out of the box [bsc#1217883]\n - Replace transitional %usrmerged macro with regular version check (bsc#1206798)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3271,SUSE-SLE-Module-Basesystem-15-SP6-2025-3271,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-3271,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-3271,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-3271,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-3271,openSUSE-SLE-15.6-2025-3271",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03271-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03271-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503271-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03271-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041774.html"
},
{
"category": "self",
"summary": "SUSE Bug 1203397",
"url": "https://bugzilla.suse.com/1203397"
},
{
"category": "self",
"summary": "SUSE Bug 1203399",
"url": "https://bugzilla.suse.com/1203399"
},
{
"category": "self",
"summary": "SUSE Bug 1206798",
"url": "https://bugzilla.suse.com/1206798"
},
{
"category": "self",
"summary": "SUSE Bug 1215943",
"url": "https://bugzilla.suse.com/1215943"
},
{
"category": "self",
"summary": "SUSE Bug 1217580",
"url": "https://bugzilla.suse.com/1217580"
},
{
"category": "self",
"summary": "SUSE Bug 1217584",
"url": "https://bugzilla.suse.com/1217584"
},
{
"category": "self",
"summary": "SUSE Bug 1217585",
"url": "https://bugzilla.suse.com/1217585"
},
{
"category": "self",
"summary": "SUSE Bug 1217883",
"url": "https://bugzilla.suse.com/1217883"
},
{
"category": "self",
"summary": "SUSE Bug 1239176",
"url": "https://bugzilla.suse.com/1239176"
},
{
"category": "self",
"summary": "SUSE Bug 1243201",
"url": "https://bugzilla.suse.com/1243201"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42363 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42363/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42364 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42364/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-42365 page",
"url": "https://www.suse.com/security/cve/CVE-2023-42365/"
}
],
"title": "Security update for busybox, busybox-links",
"tracking": {
"current_release_date": "2025-09-23T14:03:30Z",
"generator": {
"date": "2025-09-23T14:03:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03271-1",
"initial_release_date": "2025-09-23T14:03:30Z",
"revision_history": [
{
"date": "2025-09-23T14:03:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-static-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-static-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.i586"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.i586",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.i586",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-adduser-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-attr-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-bzip2-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-coreutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-cpio-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-diffutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-ed-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-findutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-gawk-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-grep-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-gzip-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-hexedit-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-hostname-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-iproute2-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-iputils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-kbd-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-kmod-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-less-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-less-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-less-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-links-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-links-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-links-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-man-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-man-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-man-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-misc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-net-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-netcat-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-patch-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-procps-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-psmisc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sed-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sendmail-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sh-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sharutils-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-syslogd-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tar-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-telnet-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tftp-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-time-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-time-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-time-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-traceroute-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-tunctl-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-unzip-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-util-linux-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-vi-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-vlan-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-wget-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-which-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-which-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-which-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-whois-1.37.0-150500.7.7.2.noarch"
}
},
{
"category": "product_version",
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"product": {
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"product_id": "busybox-xz-1.37.0-150500.7.7.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-1.37.0-150500.10.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-static-1.37.0-150500.10.11.1.ppc64le"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-1.37.0-150500.10.11.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-static-1.37.0-150500.10.11.1.s390x"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "busybox-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-static-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64"
}
},
{
"category": "product_version",
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"product": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"product_id": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-adduser-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-adduser-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-attr-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-attr-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-bzip2-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-coreutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-cpio-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-cpio-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-diffutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-ed-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-ed-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-findutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-findutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-gawk-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-gawk-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-grep-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-grep-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-gzip-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-gzip-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-hexedit-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-hostname-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-hostname-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-iproute2-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-iputils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-iputils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-kbd-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-kbd-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-kmod-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-kmod-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-less-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-less-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-links-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-links-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-man-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-man-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-misc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-misc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-net-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-netcat-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-netcat-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-patch-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-patch-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-procps-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-procps-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-psmisc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sed-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sed-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sendmail-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sh-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sh-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sharutils-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-static-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-static-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-syslogd-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tar-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tar-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-telnet-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-telnet-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tftp-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tftp-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-time-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-time-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-traceroute-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-tunctl-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-unzip-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-unzip-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-util-linux-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-vi-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-vi-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-vlan-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-vlan-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64"
},
"product_reference": "busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64"
},
"product_reference": "busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-wget-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-wget-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-which-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-which-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-whois-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-whois-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "busybox-xz-1.37.0-150500.7.7.2.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
},
"product_reference": "busybox-xz-1.37.0-150500.7.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42363"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42363",
"url": "https://www.suse.com/security/cve/CVE-2023-42363"
},
{
"category": "external",
"summary": "SUSE Bug 1217580 for CVE-2023-42363",
"url": "https://bugzilla.suse.com/1217580"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42364"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42364",
"url": "https://www.suse.com/security/cve/CVE-2023-42364"
},
{
"category": "external",
"summary": "SUSE Bug 1217584 for CVE-2023-42364",
"url": "https://bugzilla.suse.com/1217584"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-42365"
}
],
"notes": [
{
"category": "general",
"text": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-42365",
"url": "https://www.suse.com/security/cve/CVE-2023-42365"
},
{
"category": "external",
"summary": "SUSE Bug 1217585 for CVE-2023-42365",
"url": "https://bugzilla.suse.com/1217585"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Module for Basesystem 15 SP6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:busybox-static-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-1.37.0-150500.10.11.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-adduser-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-attr-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bind-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-bzip2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-coreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-cpio-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-diffutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-dos2unix-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-findutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gawk-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-grep-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-gzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hexedit-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-hostname-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iproute2-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-iputils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kbd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-kmod-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-less-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-links-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-man-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-misc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-ncurses-utils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-net-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-netcat-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-patch-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-policycoreutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-procps-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-psmisc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sed-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-selinux-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sendmail-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sh-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sha3sum-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sharutils-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-static-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-syslogd-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-sysvinit-tools-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tar-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-telnet-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.ppc64le",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.s390x",
"openSUSE Leap 15.6:busybox-testsuite-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-tftp-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-time-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-traceroute-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-tunctl-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-udhcpc-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-unzip-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-util-linux-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vi-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-vlan-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.aarch64",
"openSUSE Leap 15.6:busybox-warewulf3-1.37.0-150500.10.11.1.x86_64",
"openSUSE Leap 15.6:busybox-wget-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-which-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-whois-1.37.0-150500.7.7.2.noarch",
"openSUSE Leap 15.6:busybox-xz-1.37.0-150500.7.7.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-23T14:03:30Z",
"details": "moderate"
}
],
"title": "CVE-2023-42365"
}
]
}
MSRC_CVE-2023-42363
Vulnerability from csaf_microsoft - Published: 2023-11-01 07:00 - Updated: 2024-09-11 00:00Summary
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-42363 A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-42363.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"tracking": {
"current_release_date": "2024-09-11T00:00:00.000Z",
"generator": {
"date": "2025-10-20T00:47:01.419Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-42363",
"initial_release_date": "2023-11-01T07:00:00.000Z",
"revision_history": [
{
"date": "2024-08-18T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2024-08-25T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
},
{
"date": "2024-08-26T00:00:00.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Information published."
},
{
"date": "2024-08-27T00:00:00.000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Information published."
},
{
"date": "2024-08-28T00:00:00.000Z",
"legacy_version": "1.4",
"number": "5",
"summary": "Information published."
},
{
"date": "2024-08-29T00:00:00.000Z",
"legacy_version": "1.5",
"number": "6",
"summary": "Information published."
},
{
"date": "2024-08-30T00:00:00.000Z",
"legacy_version": "1.6",
"number": "7",
"summary": "Information published."
},
{
"date": "2024-08-31T00:00:00.000Z",
"legacy_version": "1.7",
"number": "8",
"summary": "Information published."
},
{
"date": "2024-09-01T00:00:00.000Z",
"legacy_version": "1.8",
"number": "9",
"summary": "Information published."
},
{
"date": "2024-09-02T00:00:00.000Z",
"legacy_version": "1.9",
"number": "10",
"summary": "Information published."
},
{
"date": "2024-09-03T00:00:00.000Z",
"legacy_version": "2",
"number": "11",
"summary": "Information published."
},
{
"date": "2024-09-05T00:00:00.000Z",
"legacy_version": "2.1",
"number": "12",
"summary": "Information published."
},
{
"date": "2024-09-06T00:00:00.000Z",
"legacy_version": "2.2",
"number": "13",
"summary": "Information published."
},
{
"date": "2024-09-07T00:00:00.000Z",
"legacy_version": "2.3",
"number": "14",
"summary": "Information published."
},
{
"date": "2024-09-08T00:00:00.000Z",
"legacy_version": "2.4",
"number": "15",
"summary": "Information published."
},
{
"date": "2024-09-11T00:00:00.000Z",
"legacy_version": "2.5",
"number": "16",
"summary": "Information published."
}
],
"status": "final",
"version": "16"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 busybox 1.35.0-13",
"product": {
"name": "\u003ccbl2 busybox 1.35.0-13",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 busybox 1.35.0-13",
"product": {
"name": "cbl2 busybox 1.35.0-13",
"product_id": "20038"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 busybox 1.36.1-12",
"product": {
"name": "\u003cazl3 busybox 1.36.1-12",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 busybox 1.36.1-12",
"product": {
"name": "azl3 busybox 1.36.1-12",
"product_id": "19943"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 busybox 1.35.0-11",
"product": {
"name": "\u003ccbl2 busybox 1.35.0-11",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "cbl2 busybox 1.35.0-11",
"product": {
"name": "cbl2 busybox 1.35.0-11",
"product_id": "18180"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 busybox 1.36.1-7",
"product": {
"name": "\u003cazl3 busybox 1.36.1-7",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 busybox 1.36.1-7",
"product": {
"name": "azl3 busybox 1.36.1-7",
"product_id": "18181"
}
}
],
"category": "product_name",
"name": "busybox"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 busybox 1.35.0-13 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 busybox 1.35.0-13 as a component of CBL Mariner 2.0",
"product_id": "20038-17086"
},
"product_reference": "20038",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 busybox 1.36.1-12 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 busybox 1.36.1-12 as a component of Azure Linux 3.0",
"product_id": "19943-17084"
},
"product_reference": "19943",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 busybox 1.35.0-11 as a component of CBL Mariner 2.0",
"product_id": "17086-4"
},
"product_reference": "4",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 busybox 1.35.0-11 as a component of CBL Mariner 2.0",
"product_id": "18180-17086"
},
"product_reference": "18180",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 busybox 1.36.1-7 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 busybox 1.36.1-7 as a component of Azure Linux 3.0",
"product_id": "18181-17084"
},
"product_reference": "18181",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-42363",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20038-17086",
"19943-17084",
"18180-17086",
"18181-17084"
],
"known_affected": [
"17086-1",
"17084-2",
"17086-4",
"17084-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-42363 A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-42363.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-08-18T00:00:00.000Z",
"details": "1.35.0-11:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1",
"17086-4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-08-18T00:00:00.000Z",
"details": "1.36.1-7:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-2",
"17084-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.5,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17086-1",
"17084-2",
"17086-4",
"17084-3"
]
}
],
"title": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1."
}
]
}
SSA-089022
Vulnerability from csaf_siemens - Published: 2026-01-28 00:00 - Updated: 2026-01-28 00:00Summary
SSA-089022: Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3
Notes
Summary
SINEC OS before V3.3 contains third-party components with multiple vulnerabilities.
Siemens has released new versions for the affected products and recommends to update to the latest versions.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources
For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use
The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "SINEC OS before V3.3 contains third-party components with multiple vulnerabilities.\n\nSiemens has released new versions for the affected products and recommends to update to the latest versions.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-089022: Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
},
{
"category": "self",
"summary": "SSA-089022: Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-089022.json"
}
],
"title": "SSA-089022: Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3",
"tracking": {
"current_release_date": "2026-01-28T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-089022",
"initial_release_date": "2026-01-28T00:00:00Z",
"revision_history": [
{
"date": "2026-01-28T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6GK6242-6PA00"
]
}
}
}
],
"category": "product_name",
"name": "RUGGEDCOM RST2428P (6GK6242-6PA00)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XCH328 (6GK5328-4TS01-2EC2)",
"product_id": "2",
"product_identification_helper": {
"model_numbers": [
"6GK5328-4TS01-2EC2"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XCH328 (6GK5328-4TS01-2EC2)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XCM324 (6GK5324-8TS01-2AC2)",
"product_id": "3",
"product_identification_helper": {
"model_numbers": [
"6GK5324-8TS01-2AC2"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XCM324 (6GK5324-8TS01-2AC2)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XCM328 (6GK5328-4TS01-2AC2)",
"product_id": "4",
"product_identification_helper": {
"model_numbers": [
"6GK5328-4TS01-2AC2"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XCM328 (6GK5328-4TS01-2AC2)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XCM332 (6GK5332-0GA01-2AC2)",
"product_id": "5",
"product_identification_helper": {
"model_numbers": [
"6GK5332-0GA01-2AC2"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XCM332 (6GK5332-0GA01-2AC2)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3)",
"product_id": "6",
"product_identification_helper": {
"model_numbers": [
"6GK5334-2TS01-2ER3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3)",
"product_id": "7",
"product_identification_helper": {
"model_numbers": [
"6GK5334-3TS01-3AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3)",
"product_id": "8",
"product_identification_helper": {
"model_numbers": [
"6GK5334-2TS01-3AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3)",
"product_id": "9",
"product_identification_helper": {
"model_numbers": [
"6GK5334-5TS01-3AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3)",
"product_id": "10",
"product_identification_helper": {
"model_numbers": [
"6GK5334-3TS01-2AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3)",
"product_id": "11",
"product_identification_helper": {
"model_numbers": [
"6GK5334-2TS01-2AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3)",
"product_id": "12",
"product_identification_helper": {
"model_numbers": [
"6GK5334-5TS01-2AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3)",
"product_id": "13",
"product_identification_helper": {
"model_numbers": [
"6GK5334-3TS01-4AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3)",
"product_id": "14",
"product_identification_helper": {
"model_numbers": [
"6GK5334-2TS01-4AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c3.3",
"product": {
"name": "SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3)",
"product_id": "15",
"product_identification_helper": {
"model_numbers": [
"6GK5334-5TS01-4AR3"
]
}
}
}
],
"category": "product_name",
"name": "SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-48174",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2022-48174"
},
{
"cve": "CVE-2023-7256",
"cwe": {
"id": "CWE-415",
"name": "Double Free"
},
"notes": [
{
"category": "summary",
"text": "In affected libpcap versions during the setup of a remote packet capture the internal function sock_initaddress() calls getaddrinfo() and possibly freeaddrinfo(), but does not clearly indicate to the caller function whether freeaddrinfo() still remains to be called after the function returns. This makes it possible in some scenarios that both the function and its caller call freeaddrinfo() for the same allocated memory block. A similar problem was reported in Apple libpcap, to which Apple assigned CVE-2023-40400.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-7256"
},
{
"cve": "CVE-2023-39810",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-39810"
},
{
"cve": "CVE-2023-42363",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-42363"
},
{
"cve": "CVE-2023-42364",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-42364"
},
{
"cve": "CVE-2023-42365",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-42365"
},
{
"cve": "CVE-2023-42366",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "summary",
"text": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2023-42366"
},
{
"cve": "CVE-2024-6197",
"cwe": {
"id": "CWE-590",
"name": "Free of Memory not on the Heap"
},
"notes": [
{
"category": "summary",
"text": "libcurl\u0027s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-6197"
},
{
"cve": "CVE-2024-6874",
"cwe": {
"id": "CWE-126",
"name": "Buffer Over-read"
},
"notes": [
{
"category": "summary",
"text": "libcurl\u0027s URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-6874"
},
{
"cve": "CVE-2024-7264",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "libcurl\u0027s ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-7264"
},
{
"cve": "CVE-2024-8006",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "summary",
"text": "Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-8006"
},
{
"cve": "CVE-2024-8096",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "summary",
"text": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than \u0027revoked\u0027 (like for example \u0027unauthorized\u0027) it is not treated as a bad certficate.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-8096"
},
{
"cve": "CVE-2024-9681",
"cwe": {
"id": "CWE-697",
"name": "Incorrect Comparison"
},
"notes": [
{
"category": "summary",
"text": "When curl is asked to use HSTS, the expiry time for a subdomain might\r\noverwrite a parent domain\u0027s cache entry, making it end sooner or later than\r\notherwise intended.\r\n\r\nThis affects curl using applications that enable HSTS and use URLs with the\r\ninsecure `HTTP://` scheme and perform transfers with hosts like\r\n`x.example.com` as well as `example.com` where the first host is a subdomain\r\nof the second host.\r\n\r\n(The HSTS cache either needs to have been populated manually or there needs to\r\nhave been previous HTTPS accesses done as the cache needs to have entries for\r\nthe domains involved to trigger this problem.)\r\n\r\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\r\nbug can make the subdomain\u0027s expiry timeout *bleed over* and get set for the\r\nparent domain `example.com` in curl\u0027s HSTS cache.\r\n\r\nThe result of a triggered bug is that HTTP accesses to `example.com` get\r\nconverted to HTTPS for a different period of time than what was asked for by\r\nthe origin server. If `example.com` for example stops supporting HTTPS at its\r\nexpiry time, curl might then fail to access `http://example.com` until the\r\n(wrongly set) timeout expires. This bug can also expire the parent\u0027s entry\r\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\r\nthan otherwise intended.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-9681"
},
{
"cve": "CVE-2024-11053",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-11053"
},
{
"cve": "CVE-2024-12718",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Allows modifying some file metadata (e.g. last modified) with filter=\"data\"\u00a0or file permissions (chmod) with filter=\"tar\"\u00a0of files outside the extraction directory.\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don\u0027t include the extraction filter feature.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-12718"
},
{
"cve": "CVE-2024-41996",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "summary",
"text": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-41996"
},
{
"cve": "CVE-2024-47619",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"notes": [
{
"category": "summary",
"text": "syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-47619"
},
{
"cve": "CVE-2024-52533",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing \u0027\\\\0\u0027 character.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2024-52533"
},
{
"cve": "CVE-2025-0167",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "summary",
"text": "When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-0167"
},
{
"cve": "CVE-2025-0665",
"cwe": {
"id": "CWE-1341",
"name": "Multiple Releases of Same Resource or Handle"
},
"notes": [
{
"category": "summary",
"text": "libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-0665"
},
{
"cve": "CVE-2025-0725",
"cwe": {
"id": "CWE-680",
"name": "Integer Overflow to Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPT_ACCEPT_ENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-0725"
},
{
"cve": "CVE-2025-1390",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "The PAM module pam_cap.so of libcap configuration supports group names starting with \u201c@\u201d, during actual parsing, configurations not starting with \u201c@\u201d are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-1390"
},
{
"cve": "CVE-2025-3360",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "summary",
"text": "An integer overflow and buffer under-read in GLib occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-3360"
},
{
"cve": "CVE-2025-4138",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4138"
},
{
"cve": "CVE-2025-4330",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4330"
},
{
"cve": "CVE-2025-4373",
"cwe": {
"id": "CWE-124",
"name": "Buffer Underwrite (\u0027Buffer Underflow\u0027)"
},
"notes": [
{
"category": "summary",
"text": "GLib is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4373"
},
{
"cve": "CVE-2025-4435",
"cwe": {
"id": "CWE-682",
"name": "Incorrect Calculation"
},
"notes": [
{
"category": "summary",
"text": "When using a TarFile.errorlevel = 0\u00a0and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0\u00a0in affected versions is that the member would still be extracted and not skipped.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4435"
},
{
"cve": "CVE-2025-4516",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "summary",
"text": "There is an issue in CPython when using `bytes.decode(\"unicode_escape\", error=\"ignore|replace\")`. If you are not using the \"unicode_escape\" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4516"
},
{
"cve": "CVE-2025-4517",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "Allows arbitrary filesystem writes outside the extraction directory during extraction with filter=\"data\".\n\n\nYou are affected by this vulnerability if using the tarfile\u00a0module to extract untrusted tar archives using TarFile.extractall()\u00a0or TarFile.extract()\u00a0using the filter=\u00a0parameter with a value of \"data\"\u00a0or \"tar\". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter \u00a0for more information.\n\nNote that for Python 3.14 or later the default value of filter=\u00a0changed from \"no filtering\" to `\"data\", so if you are relying on this new default behavior then your usage is also affected.\n\nNote that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it\u0027s important to avoid installing source distributions with suspicious links.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-4517"
},
{
"cve": "CVE-2025-6141",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "summary",
"text": "A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-6141"
},
{
"cve": "CVE-2025-9086",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\u0027/\u0027`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-9086"
},
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "summary",
"text": "An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-9230"
},
{
"cve": "CVE-2025-9231",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts. However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-9231"
},
{
"cve": "CVE-2025-9232",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "Issue summary: An application using the OpenSSL HTTP client API functions may\ntrigger an out-of-bounds read if the \u0027no_proxy\u0027 environment variable is set and\nthe host portion of the authority component of the HTTP URL is an IPv6 address.\n\nImpact summary: An out-of-bounds read can trigger a crash which leads to\nDenial of Service for an application.\n\nThe OpenSSL HTTP client API functions can be used directly by applications\nbut they are also used by the OCSP client functions and CMP (Certificate\nManagement Protocol) client implementation in OpenSSL. However the URLs used\nby these implementations are unlikely to be controlled by an attacker.\n\nIn this vulnerable code the out of bounds read can only trigger a crash.\nFurthermore the vulnerability requires an attacker-controlled URL to be\npassed from an application to the OpenSSL function and the user has to have\na \u0027no_proxy\u0027 environment variable set. For the aforementioned reasons the\nissue was assessed as Low severity.\n\nThe vulnerable code was introduced in the following patch releases:\n3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as the HTTP client implementation is outside the OpenSSL FIPS module\nboundary.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-9232"
},
{
"cve": "CVE-2025-10148",
"cwe": {
"id": "CWE-340",
"name": "Generation of Predictable Numbers or Identifiers"
},
"notes": [
{
"category": "summary",
"text": "curl\u0027s websocket code did not update the 32 bit mask pattern for each new\n outgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-10148"
},
{
"cve": "CVE-2025-27587",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"notes": [
{
"category": "summary",
"text": "OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-27587"
},
{
"cve": "CVE-2025-32433",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "summary",
"text": "Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-32433"
},
{
"cve": "CVE-2025-38084",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: unshare page tables during VMA split, not before\n\nCurrently, __split_vma() triggers hugetlb page table unsharing through\nvm_ops-\u003emay_split(). This happens before the VMA lock and rmap locks are\ntaken - which is too early, it allows racing VMA-locked page faults in our\nprocess and racing rmap walks from other processes to cause page tables to\nbe shared again before we actually perform the split.\n\nFix it by explicitly calling into the hugetlb unshare logic from\n__split_vma() in the same place where THP splitting also happens. At that\npoint, both the VMA and the rmap(s) are write-locked.\n\nAn annoying detail is that we can now call into the helper\nhugetlb_unshare_pmds() from two different locking contexts:\n\n1. from hugetlb_split(), holding:\n - mmap lock (exclusively)\n - VMA lock\n - file rmap lock (exclusively)\n2. hugetlb_unshare_all_pmds(), which I think is designed to be able to\n call us with only the mmap lock held (in shared mode), but currently\n only runs while holding mmap lock (exclusively) and VMA lock\n\nBackporting note:\nThis commit fixes a racy protection that was introduced in commit\nb30c14cd6102 (\"hugetlb: unshare some PMDs when splitting VMAs\"); that\ncommit claimed to fix an issue introduced in 5.13, but it should actually\nalso go all the way back.\n\n[jannh@google.com: v2]",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38084"
},
{
"cve": "CVE-2025-38085",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don\u0027t see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38085"
},
{
"cve": "CVE-2025-38086",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ch9200: fix uninitialised access during mii_nway_restart\n\nIn mii_nway_restart() the code attempts to call\nmii-\u003emdio_read which is ch9200_mdio_read(). ch9200_mdio_read()\nutilises a local buffer called \"buff\", which is initialised\nwith control_read(). However \"buff\" is conditionally\ninitialised inside control_read():\n\n if (err == size) {\n memcpy(data, buf, size);\n }\n\nIf the condition of \"err == size\" is not met, then\n\"buff\" remains uninitialised. Once this happens the\nuninitialised \"buff\" is accessed and returned during\nch9200_mdio_read():\n\n return (buff[0] | buff[1] \u003c\u003c 8);\n\nThe problem stems from the fact that ch9200_mdio_read()\nignores the return value of control_read(), leading to\nuinit-access of \"buff\".\n\nTo fix this we should check the return value of\ncontrol_read() and return early on error.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38086"
},
{
"cve": "CVE-2025-38345",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: fix acpi operand cache leak in dswstate.c\n\nACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732\n\nI found an ACPI cache leak in ACPI early termination and boot continuing case.\n\nWhen early termination occurs due to malicious ACPI table, Linux kernel\nterminates ACPI function and continues to boot process. While kernel terminates\nACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak.\n\nBoot log of ACPI operand cache leak is as follows:\n\u003e[ 0.585957] ACPI: Added _OSI(Module Device)\n\u003e[ 0.587218] ACPI: Added _OSI(Processor Device)\n\u003e[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions)\n\u003e[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device)\n\u003e[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155)\n\u003e[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88)\n\u003e[ 0.597858] ACPI: Unable to start the ACPI Interpreter\n\u003e[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281)\n\u003e[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects\n\u003e[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26\n\u003e[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006\n\u003e[ 0.609177] Call Trace:\n\u003e[ 0.610063] ? dump_stack+0x5c/0x81\n\u003e[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0\n\u003e[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27\n\u003e[ 0.613906] ? acpi_os_delete_cache+0xa/0x10\n\u003e[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b\n\u003e[ 0.619293] ? acpi_terminate+0xa/0x14\n\u003e[ 0.620394] ? acpi_init+0x2af/0x34f\n\u003e[ 0.621616] ? __class_create+0x4c/0x80\n\u003e[ 0.623412] ? video_setup+0x7f/0x7f\n\u003e[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27\n\u003e[ 0.625861] ? do_one_initcall+0x4e/0x1a0\n\u003e[ 0.627513] ? kernel_init_freeable+0x19e/0x21f\n\u003e[ 0.628972] ? rest_init+0x80/0x80\n\u003e[ 0.630043] ? kernel_init+0xa/0x100\n\u003e[ 0.631084] ? ret_from_fork+0x25/0x30\n\u003e[ 0.633343] vgaarb: loaded\n\u003e[ 0.635036] EDAC MC: Ver: 3.0.0\n\u003e[ 0.638601] PCI: Probing PCI hardware\n\u003e[ 0.639833] PCI host bridge to bus 0000:00\n\u003e[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff]\n\u003e ... Continue to boot and log is omitted ...\n\nI analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_\ndelete() function miscalculated the top of the stack. acpi_ds_obj_stack_push()\nfunction uses walk_state-\u003eoperand_index for start position of the top, but\nacpi_ds_obj_stack_pop_and_delete() function considers index 0 for it.\nTherefore, this causes acpi operand memory leak.\n\nThis cache leak causes a security threat because an old kernel (\u003c= 4.9) shows\nmemory locations of kernel functions in stack dump. Some malicious users\ncould use this information to neutralize kernel ASLR.\n\nI made a patch to fix ACPI operand cache leak.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38345"
},
{
"cve": "CVE-2025-38350",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes\u0027 dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent\u0027s parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n tc qdisc add dev lo root handle 1: drr\n tc filter add dev lo parent 1: basic classid 1:1\n tc class add dev lo parent 1: classid 1:1 drr\n tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n tc qdisc add dev lo parent 2:1 handle 3: netem\n tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n tc class delete dev lo classid 1:1\n echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38350"
},
{
"cve": "CVE-2025-38498",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller\u0027s mount namespace. This change aligns permission checking\nwith the rest of mount(2).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-38498"
},
{
"cve": "CVE-2025-39839",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix OOB read/write in network-coding decode\n\nbatadv_nc_skb_decode_packet() trusts coded_len and checks only against\nskb-\u003elen. XOR starts at sizeof(struct batadv_unicast_packet), reducing\npayload headroom, and the source skb length is not verified, allowing an\nout-of-bounds read and a small out-of-bounds write.\n\nValidate that coded_len fits within the payload area of both destination\nand source sk_buffs before XORing.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39839"
},
{
"cve": "CVE-2025-39841",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix buffer free/clear order in deferred receive path\n\nFix a use-after-free window by correcting the buffer release sequence in\nthe deferred receive path. The code freed the RQ buffer first and only\nthen cleared the context pointer under the lock. Concurrent paths (e.g.,\nABTS and the repost path) also inspect and release the same pointer under\nthe lock, so the old order could lead to double-free/UAF.\n\nNote that the repost path already uses the correct pattern: detach the\npointer under the lock, then free it after dropping the lock. The\ndeferred path should do the same.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39841"
},
{
"cve": "CVE-2025-39846",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n\nIn __iodyn_find_io_region(), pcmcia_make_resource() is assigned to\nres and used in pci_bus_alloc_resource(). There is a dereference of res\nin pci_bus_alloc_resource(), which could lead to a NULL pointer\ndereference on failure of pcmcia_make_resource().\n\nFix this bug by adding a check of res.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39846"
},
{
"cve": "CVE-2025-39853",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix potential invalid access when MAC list is empty\n\nlist_first_entry() never returns NULL - if the list is empty, it still\nreturns a pointer to an invalid object, leading to potential invalid\nmemory access when dereferenced.\n\nFix this by using list_first_entry_or_null instead of list_first_entry.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39853"
},
{
"cve": "CVE-2025-39860",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n\nsyzbot reported the splat below without a repro.\n\nIn the splat, a single thread calling bt_accept_dequeue() freed sk\nand touched it after that.\n\nThe root cause would be the racy l2cap_sock_cleanup_listen() call\nadded by the cited commit.\n\nbt_accept_dequeue() is called under lock_sock() except for\nl2cap_sock_release().\n\nTwo threads could see the same socket during the list iteration\nin bt_accept_dequeue():\n\n CPU1 CPU2 (close())\n ---- ----\n sock_hold(sk) sock_hold(sk);\n lock_sock(sk) \u003c-- block close()\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- refcnt by bt_accept_enqueue()\n release_sock(sk)\n lock_sock(sk)\n sock_put(sk)\n bt_accept_unlink(sk)\n sock_put(sk) \u003c-- last refcnt\n bt_accept_unlink(sk) \u003c-- UAF\n\nDepending on the timing, the other thread could show up in the\n\"Freed by task\" part.\n\nLet\u0027s call l2cap_sock_cleanup_listen() under lock_sock() in\nl2cap_sock_release().\n\n[0]:\nBUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\nRead of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995\nCPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]\n do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115\n spin_lock_bh include/linux/spinlock.h:356 [inline]\n release_sock+0x21/0x220 net/core/sock.c:3746\n bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312\n l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451\n l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x3ff/0xb70 fs/file_table.c:468\n task_work_run+0x14d/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2accf8ebe9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f\nR10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c\nR13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490\n \u003c/TASK\u003e\n\nAllocated by task 5326:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4365 [inline]\n __kmalloc_nopro\n---truncated---",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39860"
},
{
"cve": "CVE-2025-39864",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix use-after-free in cmp_bss()\n\nFollowing bss_free() quirk introduced in commit 776b3580178f\n(\"cfg80211: track hidden SSID networks properly\"), adjust\ncfg80211_update_known_bss() to free the last beacon frame\nelements only if they\u0027re not shared via the corresponding\n\u0027hidden_beacon_bss\u0027 pointer.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39864"
},
{
"cve": "CVE-2025-39865",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "summary",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache --\u003e\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); --\u003e\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-39865"
},
{
"cve": "CVE-2025-59375",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"1",
"2",
"3",
"4",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
},
{
"category": "vendor_fix",
"details": "Update to V3.3 or later version",
"product_ids": [
"5"
],
"url": "https://support.industry.siemens.com/cs/ww/en/view/109997626/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15"
]
}
],
"title": "CVE-2025-59375"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…