CVE-2023-50246 only affects jq >= 1.7 until 1.7.1. That issue was introduced with cf4b48c7ba30cb30e116b523cff036ea481459f6. Mantic (23.10) has jq version 1.6-3 and Noble (24.04) has 1.7.1-3build1. This is why unaffected versions are labeled as "Not vulnerable (code not present)" on https://ubuntu.com/security/CVE-2023-50246
CVE-2023-50268 has the same story. The break appears to be 680baeffeb7983e7570b5e68db07fe47f94db8c7 which was introduced in 1.7 and fixed in 1.7.1. https://ubuntu.com/security/CVE-2023-50268 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063014 Title: CVE-2023-50246 and CVE-2023-50268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2063014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
