Bug#635548: CVE-2011-2716
On Sun, June 3, 2012 12:29, Michael Tokarev wrote:
> The version of busybox currently in experimental verifies
> all the strings returned by dhcpd and if any bad char is
> found, it replaces the whole thing with literal string
> "bad" when exporting the variable to the script. So
> there should be no need to quote anything anymore.
>
> I haven't closed this bug becaue I merely forgot about it,
> and because I also wanted to recheck all open bugs when
> finally uploading busybox 1.20 to unstable. My current
> changelog contains mentions of closing of this bug, too.
>
> Thank you for the reminder, this means these serious issues
> weren't forgotten! And indeed they weren't!.. :)
Good! Will you ensure that 1.20 ends up in wheezy?
There's not much time I guess, because the wheezy freeze is scheduled for
this month.
Cheers,
Thijs
Reply to: