Ubuntu has issued an advisory today (September 22):
The issue is fixed upstream in 1.32.0.
Assigning this to you, Stig, as the principle recent committer of this SRPM.
Thanks Lewis. This package belongs to Shlomi. Assigning to him as I do not have the time to take of this at the moment.
*** Bug 27734 has been marked as a duplicate of this bug. ***
Patch available from Ubuntu
The updated packages fix a security vulnerability:
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". (CVE-2018-1000500)
Updated packages in core/updates_testing:
Patch available from Ubuntu =>
Installed and tested without issues.
Tested a bunch of busybox commands (applets as called in busybox), including wget. Tested both dynamic and static busybox packages. No issues noticed.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep busybox
Validating. Advisory in Comment 4.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.