-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade busybox to 3.6.1 #10452
Comments
|
Unforunatelly I can't attach Aqua report.
|
I'm curious about this assertion - we have been shipping buildroot 2022.08.1 for 2 years, since k3s-io/k3s-root#54. Did you mean to link a different buildroot version - 2022.08.3 perhaps? I see that https://github.com/buildroot/buildroot/commits/2022.08.3/package/busybox does include fixes for both of the linked vulns. |
My bad. Looked at |
Please consider upgrading busybox to v3.6.1 and/or upgrading buildroot to newer version.
Currently k3s ships busybox based on version 3.5.0 which if affected by
https://nvd.nist.gov/vuln/detail/CVE-2022-30065
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Current upstream buildroot version (2022.08.1) includes patches for this CVEs.(buildroot 2022.08.1 does not include patches)Despite that somevulnerability scanners (e.g. Aqua) marks k3s busybox binary as affected by them.More than that they marks them as High Severity CVEs. That is quite uncomfortable as it requires manual checks for newer k3s versions.
I'm not avare about CVE-2022-28391 (https://bugs.busybox.net/show_bug.cgi?id=15001)
CVE-2022-30065 is fixed in busybox v3.6.1 according to https://busybox.net/
Upsteam buildroot upgraded busybox to version 3.6.1 since https://gitlab.com/buildroot.org/buildroot/-/commit/a7e4f557f5c5874c84d6ae2e28d752603e18ab3f about year ago.
The text was updated successfully, but these errors were encountered: