This bug was fixed in the package busybox - 1:1.37.0-10.1ubuntu2
---------------
busybox (1:1.37.0-10.1ubuntu2) stonking; urgency=medium
* d/tree/usr/share/initramfs-tools/hooks/zz-busybox:
remove stray closing bracket. This was leftover from an incorrect merge.
Caused an autopkgtest r-dep regression in `initramfs-tools`. LP: #2156784
busybox (1:1.37.0-10.1ubuntu1) stonking; urgency=medium
* Merge with Debian unstable. (LP: #2153290) Remaining changes:
- Add busybox-initramfs binary package and initramfs flavour:
+ Add dirname from coreutils to the initramfs
+ Enable the new klibc utility implementations, nuke and run-init
in the initramfs package; and also enable reboot. Doesn't yet make
klibc-utils irrelevant - we still use ipconfig, fstype, and nfsmount
- but it moves us much closer and should save a little bit of disk
space.
+ Enable TLS in initramfs flavour of wget applet, requires openssl
+ d/config/pkg/initramfs: Enable the date applet with the same
options as the other variants for use in fixrtc and casper scripts.
+ Prefer busybox cmds over klibc cmds where there is duplication.
+ Move zz-busybox to busybox-initramfs to ensure we get links to all
the tools we need, stop shipping it anywhere else.
+ d/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox:
Copy certs and openssl config for the casper+busybox-initramfs case.
+ Add Ubuntu configuration for busybox binaries.
- test-bin.patch: Move test and friends to /bin.
- static-sh-alias.patch: Add static-sh alias name for ash, and install
/bin/static-sh symlink to busybox in busybox-static.
- d/config/pkg/{deb,static}: Enable chpasswd (needed by LXC).
+ archival-disallow-path-traversals-*.patch adds a new feature that was
not configured in d/config/pkg/initramfs as busybox-initramfs is an
Ubuntu only package. Adds in the default config to to the initramfs
conf.
- d/p/fix-start-stop-daemon-rust-coreutils.patch
rust-coreutils disallows running an executable by a different
name. This leads to "start-stop-daemon with both -x and -a"
to fail as it attempts to run /bin/false under a different
name, qwerty. Patch test to use the same executable as the
test does not check argv[0] difference
- d/busybox-static.links fix link location
- d/busybox-static.links updated to be in usr/bin instead of bin.
(LP #2139160)
busybox (1:1.37.0-10.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2026-26157: Incomplete path sanitization in archive
extraction utilities
* CVE-2026-26158: File modification outside of the intended
extraction directory in tar
* (Closes: #1127782)
busybox (1:1.37.0-10) unstable; urgency=medium
* Revert "initramfs-tools/conf-hooks.d/busybox:
remove, initramfs-tools do not use $BUSYBOXDIR anymore"
As it turns out, it *is* used still.
(Closes: #1126810, #1126809)
busybox (1:1.37.0-9) unstable; urgency=medium
* netstat-sanitize-argv0-for-p-CVE-2024-58251.patch (Closes: #1104009)
busybox (1:1.37.0-8) unstable; urgency=medium
* awk.c-fix-CVE-2023-42366-bug-15874.patch (Closes: #1059053)
* wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch (Closes: #1120795)
* two patches (one from upstream and missing hunk) to fix CVE-2025-46394:
archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394.patch
archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394-2.patch
(Closes: #1104008)
* config: deb,static: enable resize applet
* initramfs-tools/conf-hooks.d/busybox: remove,
initramfs-tools don't use $BUSYBOXDIR anymore
* initramfs-tools/hooks/zz-busybox:
print applets added to initramfs in verbose mode
-- John Chittum <[email protected]> Mon, 15 Jun 2026 11:27:30
-0400
** Changed in: busybox (Ubuntu)
Status: In Progress => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2023-42366
** CVE added: https://cve.org/CVERecord?id=CVE-2024-58251
** CVE added: https://cve.org/CVERecord?id=CVE-2025-46394
** CVE added: https://cve.org/CVERecord?id=CVE-2025-60876
** CVE added: https://cve.org/CVERecord?id=CVE-2026-26157
** CVE added: https://cve.org/CVERecord?id=CVE-2026-26158
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2153290
Title:
Merge busybox from Debian for stonking cycle
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2153290/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
