Security update for busybox SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0235-1 Final 1 1 2026-01-22T12:25:06Z current 2026-01-22T12:25:06Z 2026-01-22T12:25:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for busybox This update for busybox fixes the following issues: Security issues: - CVE-2025-46394: Fixed tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) - CVE-2025-60876: Fixed HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) Other issues: - Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) - Fixed unshare -mrpf sh core dump on ppc64le (bsc#1249237) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-235,SUSE-SLE-Module-Basesystem-15-SP7-2026-235 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260235-1/ Link for SUSE-SU-2026:0235-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023850.html E-Mail link for SUSE-SU-2026:0235-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236670 SUSE Bug 1236670 https://bugzilla.suse.com/1241661 SUSE Bug 1241661 https://bugzilla.suse.com/1249237 SUSE Bug 1249237 https://bugzilla.suse.com/1253245 SUSE Bug 1253245 https://www.suse.com/security/cve/CVE-2025-46394/ SUSE CVE CVE-2025-46394 page https://www.suse.com/security/cve/CVE-2025-60876/ SUSE CVE CVE-2025-60876 page SUSE Linux Enterprise Module for Basesystem 15 SP7 busybox-1.37.0-150700.18.10.1 busybox-adduser-1.37.0-150700.12.7.1 busybox-attr-1.37.0-150700.12.7.1 busybox-bc-1.37.0-150700.12.7.1 busybox-bind-utils-1.37.0-150700.12.7.1 busybox-bzip2-1.37.0-150700.12.7.1 busybox-coreutils-1.37.0-150700.12.7.1 busybox-cpio-1.37.0-150700.12.7.1 busybox-diffutils-1.37.0-150700.12.7.1 busybox-dos2unix-1.37.0-150700.12.7.1 busybox-ed-1.37.0-150700.12.7.1 busybox-findutils-1.37.0-150700.12.7.1 busybox-gawk-1.37.0-150700.12.7.1 busybox-grep-1.37.0-150700.12.7.1 busybox-gzip-1.37.0-150700.12.7.1 busybox-hexedit-1.37.0-150700.12.7.1 busybox-hostname-1.37.0-150700.12.7.1 busybox-iproute2-1.37.0-150700.12.7.1 busybox-iputils-1.37.0-150700.12.7.1 busybox-kbd-1.37.0-150700.12.7.1 busybox-kmod-1.37.0-150700.12.7.1 busybox-less-1.37.0-150700.12.7.1 busybox-links-1.37.0-150700.12.7.1 busybox-man-1.37.0-150700.12.7.1 busybox-misc-1.37.0-150700.12.7.1 busybox-ncurses-utils-1.37.0-150700.12.7.1 busybox-net-tools-1.37.0-150700.12.7.1 busybox-netcat-1.37.0-150700.12.7.1 busybox-patch-1.37.0-150700.12.7.1 busybox-policycoreutils-1.37.0-150700.12.7.1 busybox-procps-1.37.0-150700.12.7.1 busybox-psmisc-1.37.0-150700.12.7.1 busybox-sed-1.37.0-150700.12.7.1 busybox-selinux-tools-1.37.0-150700.12.7.1 busybox-sendmail-1.37.0-150700.12.7.1 busybox-sh-1.37.0-150700.12.7.1 busybox-sha3sum-1.37.0-150700.12.7.1 busybox-sharutils-1.37.0-150700.12.7.1 busybox-static-1.37.0-150700.18.10.1 busybox-syslogd-1.37.0-150700.12.7.1 busybox-sysvinit-tools-1.37.0-150700.12.7.1 busybox-tar-1.37.0-150700.12.7.1 busybox-telnet-1.37.0-150700.12.7.1 busybox-testsuite-1.37.0-150700.18.10.1 busybox-tftp-1.37.0-150700.12.7.1 busybox-time-1.37.0-150700.12.7.1 busybox-traceroute-1.37.0-150700.12.7.1 busybox-tunctl-1.37.0-150700.12.7.1 busybox-udhcpc-1.37.0-150700.12.7.1 busybox-unzip-1.37.0-150700.12.7.1 busybox-util-linux-1.37.0-150700.12.7.1 busybox-vi-1.37.0-150700.12.7.1 busybox-vlan-1.37.0-150700.12.7.1 busybox-warewulf3-1.37.0-150700.18.10.1 busybox-wget-1.37.0-150700.12.7.1 busybox-which-1.37.0-150700.12.7.1 busybox-whois-1.37.0-150700.12.7.1 busybox-xz-1.37.0-150700.12.7.1 busybox-1.37.0-150700.18.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 busybox-static-1.37.0-150700.18.10.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. CVE-2025-46394 SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260235-1/ https://www.suse.com/security/cve/CVE-2025-46394.html CVE-2025-46394 https://bugzilla.suse.com/1241661 SUSE Bug 1241661 BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). CVE-2025-60876 SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-1.37.0-150700.18.10.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:busybox-static-1.37.0-150700.18.10.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260235-1/ https://www.suse.com/security/cve/CVE-2025-60876.html CVE-2025-60876 https://bugzilla.suse.com/1253245 SUSE Bug 1253245