CVE-2011-2716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2716): The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. @embedded: Please punt vulnerable versions.
17:58 <@ago> blueness: could I remove <1.20.1 as requested in bug 426504 ? 17:59 <@blueness> ago, i would say yes, but busybox is very much vapier's thing. ping him a few times and if you get no answer, ping me again and i'll look into this more carefully @Mike, what's your mind?
(In reply to Agostino Sarubbo from comment #1) feel free to cull old busybox ebuilds all you like
Cleanup done, @security go ahead with the glsa.
Thanks for your work Added to existing GLSA draft
(In reply to Agostino Sarubbo from comment #3) you need to look at unused files in $FILESDIR too. there's a number of patches left behind that are dead now.
This issue was resolved and addressed in GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml by GLSA coordinator Chris Reffett (creffett).