| Package | busybox |
|---|---|
| Version | 1:1.20.0-7+deb7u2 |
| Related CVEs | CVE-2011-5325 CVE-2015-9261 |
The security update of busybox announced as ELA-20-1 introduced a regression due to an incomplete fix for CVE-2015-9261. It was no longer possible to decompress gzip archives which exceeded a certain file size.
It was also found that the patch to fix CVE-2011-5325, a symlinking attack, was too strict in case of cpio archives. This update restores the old behavior.
For Debian 7 Wheezy, these problems have been fixed in version 1:1.20.0-7+deb7u2.
We recommend that you upgrade your busybox packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.