SUSE SLES12 Security Update : busybox (SUSE-SU-2022:4253-1)

critical Nessus Plugin ID 168240

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4253-1 advisory.

- CVE-2014-9645: Fixed loading of unwanted modules with / (bsc#914660).
- CVE-2017-16544: Fixed insufficient sanitization of filenames when autocompleting (bsc#1069412).
- CVE-2015-9261: Fixed huft_build misuses a pointer, causing segfaults (bsc#1102912).
- CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow in udhcpc (bsc#970663).
- CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing (bsc#970662).
- CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).
- CVE-2017-15873: Fixed integer overflow in get_next_block function in archival/libarchive/decompress_bunzip2.c (bsc#1064976).
- CVE-2017-15874: Fixed integer overflow in archival/libarchive/decompress_unlzma (bsc#1064978).
- CVE-2019-5747: Fixed out of bounds read in udhcp components (bsc#1121428).
- CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386: v1.34.0 bugfixes (bsc#1192869).
- CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522).
- CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
- CVE-2018-1000517: Fixed heap-based buffer overflow in the retrieve_file_data() (bsc#1099260).
- CVE-2011-5325: Fixed tar directory traversal (bsc#951562).
- CVE-2018-1000500: Fixed missing SSL certificate validation in wget (bsc#1099263).

- Update to 1.35.0
- awk: fix printf %%, fix read beyond end of buffer
- chrt: silence analyzer warning
- libarchive: remove duplicate forward declaration
- mount: 'mount -o rw ....' should not fall back to RO mount
- ps: fix -o pid=PID,args interpreting entire 'PID,args' as header
- tar: prevent malicious archives with long name sizes causing OOM
- udhcpc6: fix udhcp_find_option to actually find DHCP6 options
- xxd: fix -p -r
- support for new optoins added to basename, cpio, date, find, mktemp, wget and others

- Enable fdisk (jsc#CAR-16)

- Update to 1.34.1:
* build system: use SOURCE_DATE_EPOCH for timestamp if available
* many bug fixes and new features
* touch: make FEATURE_TOUCH_NODEREF unconditional

- update to 1.33.1:
* httpd: fix sendfile
* ash: fix HISTFILE corruptio
* ash: fix unset variable pattern expansion
* traceroute: fix option parsing
* gunzip: fix for archive corruption

- Update to version 1.33.0
- many bug fixes and new features

- Update to version 1.32.1
- fixes a case where in ash, 'wait' never finishes.

- prepare usrmerge (bsc#1029961)

- Enable testsuite and package it for later rerun (for QA, jsc#CAR-15)

- Update to version 1.31.1:
- Bug fix release. 1.30.1 has fixes for dc, ash (PS1 expansion fix), hush, dpkg-deb, telnet and wget.
- Changes from version 1.31.0:
- many bugfixes and new features.
- Add busybox-no-stime.patch: stime() has been deprecated in glibc 2.31 and replaced with clock_settime().

- update to 1.25.1:
* fixes for hush, gunzip, ip route, ntpd
- includes changes from 1.25.0:
* many added and expanded implementations of command options
- includes changes from 1.24.2:
* fixes for build system (static build with glibc fixed), truncate, gunzip and unzip.

- Update to version 1.24.1
* for a full list of changes see http://www.busybox.net/news.html
- Refresh busybox.install.patch

- Update to 1.23.2
* for a full list of changes see http://www.busybox.net/news.html
- Cleaned up spec file with spec-cleaner
- Refreshed patches

- update to 1.22.1:
Many updates and fixes for most included tools, see see http://www.busybox.net/news.html

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected busybox package.

See Also

https://bugzilla.suse.com/1029961

https://bugzilla.suse.com/1064976

https://bugzilla.suse.com/1064978

https://bugzilla.suse.com/1069412

https://bugzilla.suse.com/1099260

https://bugzilla.suse.com/1099263

https://bugzilla.suse.com/1102912

https://bugzilla.suse.com/1121426

https://bugzilla.suse.com/1121428

https://bugzilla.suse.com/1184522

https://bugzilla.suse.com/1191514

https://bugzilla.suse.com/1192869

https://bugzilla.suse.com/914660

https://bugzilla.suse.com/951562

https://bugzilla.suse.com/970662

https://bugzilla.suse.com/970663

https://bugzilla.suse.com/991940

https://www.suse.com/security/cve/CVE-2011-5325

https://www.suse.com/security/cve/CVE-2014-9645

https://www.suse.com/security/cve/CVE-2015-9261

https://www.suse.com/security/cve/CVE-2016-2147

https://www.suse.com/security/cve/CVE-2016-2148

https://www.suse.com/security/cve/CVE-2016-6301

https://www.suse.com/security/cve/CVE-2017-15873

https://www.suse.com/security/cve/CVE-2017-15874

https://www.suse.com/security/cve/CVE-2017-16544

https://www.suse.com/security/cve/CVE-2018-1000500

https://www.suse.com/security/cve/CVE-2018-1000517

https://www.suse.com/security/cve/CVE-2018-20679

https://www.suse.com/security/cve/CVE-2019-5747

https://www.suse.com/security/cve/CVE-2021-28831

https://www.suse.com/security/cve/CVE-2021-42373

https://www.suse.com/security/cve/CVE-2021-42374

https://www.suse.com/security/cve/CVE-2021-42375

https://www.suse.com/security/cve/CVE-2021-42376

https://www.suse.com/security/cve/CVE-2021-42377

https://www.suse.com/security/cve/CVE-2021-42378

https://www.suse.com/security/cve/CVE-2021-42379

https://www.suse.com/security/cve/CVE-2021-42380

https://www.suse.com/security/cve/CVE-2021-42381

https://www.suse.com/security/cve/CVE-2021-42382

https://www.suse.com/security/cve/CVE-2021-42383

https://www.suse.com/security/cve/CVE-2021-42384

https://www.suse.com/security/cve/CVE-2021-42385

https://www.suse.com/security/cve/CVE-2021-42386

http://www.nessus.org/u?968619af

Plugin Details

Severity: Critical

ID: 168240

File Name: suse_SU-2022-4253-1.nasl

Version: 1.7

Type: Local

Agent: unix

Published: 11/29/2022

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.67

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1000517

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-42377

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:busybox

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/28/2022

Vulnerability Publication Date: 1/27/2015

Reference Information

CVE: CVE-2011-5325, CVE-2014-9645, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2016-6301, CVE-2017-15873, CVE-2017-15874, CVE-2017-16544, CVE-2018-1000500, CVE-2018-1000517, CVE-2018-20679, CVE-2019-5747, CVE-2021-28831, CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

SuSE: SUSE-SU-2022:4253-1