Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.boot > #76583
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Newsgroups | linux.debian.bugs.dist, linux.debian.maint.boot |
| Subject | Bug#1120795: busybox: CVE-2025-60876 |
| Date | 2025-11-16 14:20 +0100 |
| Message-ID | <LRKPE-dp5H-9@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
Cross-posted to 2 groups.
Source: busybox
X-Debbugs-CC: team@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for busybox.
CVE-2025-60876[0]:
| BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other
| C0 control bytes in the HTTP request-target (path/query), allowing
| the request line to be split and attacker-controlled headers to be
| injected. To preserve the HTTP/1.1 request-line shape METHOD SP
| request-target SP HTTP/1.1, a raw space (0x20) in the request-target
| must also be rejected (clients should use %20).
Not sure if this has been reported upstream, the busybox bug tracker
is currently down:
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-60876
https://www.cve.org/CVERecord?id=CVE-2025-60876
Please adjust the affected versions in the BTS as needed.
Back to linux.debian.maint.boot | Previous | Next — Next in thread | Find similar
Bug#1120795: busybox: CVE-2025-60876 Moritz Mühlenhoff <jmm@inutil.org> - 2025-11-16 14:20 +0100 Bug#1120795: busybox: CVE-2025-60876 Bastian Blank <waldi@debian.org> - 2025-11-16 14:40 +0100 Bug#1120795: marked as done (busybox: CVE-2025-60876) "Debian Bug Tracking System" <owner@bugs.debian.org> - 2026-02-01 18:00 +0100
csiph-web