Your message dated Fri, 15 Dec 2023 21:05:14 +0000
with message-id <[email protected]>
and subject line Bug#1058763: fixed in jq 1.7.1-1
has caused the Debian Bug report #1058763,
regarding jq: CVE-2023-50246 CVE-2023-50268
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1058763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058763
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jq
Version: 1.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for jq.
CVE-2023-50246[0]:
| jq is a command-line JSON processor. Version 1.7 is vulnerable to
| heap-based buffer overflow. Version 1.7.1 contains a patch for this
| issue.
CVE-2023-50268[1]:
| jq is a command-line JSON processor. Version 1.7 is vulnerable to
| stack-based buffer overflow in builds using decNumber. Version 1.7.1
| contains a patch for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50246
https://www.cve.org/CVERecord?id=CVE-2023-50246
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
[1] https://security-tracker.debian.org/tracker/CVE-2023-50268
https://www.cve.org/CVERecord?id=CVE-2023-50268
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jq
Source-Version: 1.7.1-1
Done: ChangZhuo Chen (陳昌倬) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <[email protected]> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Dec 2023 04:35:42 +0800
Source: jq
Architecture: source
Version: 1.7.1-1
Distribution: unstable
Urgency: high
Maintainer: ChangZhuo Chen (陳昌倬) <[email protected]>
Changed-By: ChangZhuo Chen (陳昌倬) <[email protected]>
Closes: 1058763
Changes:
jq (1.7.1-1) unstable; urgency=high
.
* New upstream release. (Closes: #1058763)
* Fix CVE-2023-50246, CVE-2023-50268.
* Remove unused patch.
Checksums-Sha1:
ee1ad84ee0ca383940f2d77bf9d7135b01ac0fba 2009 jq_1.7.1-1.dsc
b84066c8abfda37b1eff2d4f9bc2187951e281e2 1323338 jq_1.7.1.orig.tar.gz
c12fec78ce6b665ee9a7172405411603a5ce67b1 13792 jq_1.7.1-1.debian.tar.xz
5c7cb5eebcad58022c970aac6275283884adabb9 7717 jq_1.7.1-1_amd64.buildinfo
Checksums-Sha256:
8bffbcc9ccae2fe405ce05b4efe4607422f7b748cc50dd2fc2a0ca984af23f09 2009
jq_1.7.1-1.dsc
fc75b1824aba7a954ef0886371d951c3bf4b6e0a921d1aefc553f309702d6ed1 1323338
jq_1.7.1.orig.tar.gz
d4b0c7cce9463e7511fb89846e28c98c164289fe5e12765f40a58574bf27b300 13792
jq_1.7.1-1.debian.tar.xz
5949328fefe5b50db4748ebeff5e83addfeac80610c99ddde2b40a40283ca47c 7717
jq_1.7.1-1_amd64.buildinfo
Files:
55f854ad0023edd16d8f76daa6bbafb8 2009 utils optional jq_1.7.1-1.dsc
6298967cd176a8e9f3e83b98f42295b6 1323338 utils optional jq_1.7.1.orig.tar.gz
d85e4e71ed9250f05db7d8f780f7e39a 13792 utils optional jq_1.7.1-1.debian.tar.xz
75cee463f0f36e25591e9e95af4119b0 7717 utils optional jq_1.7.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmV8vCcACgkQzGWwzewn
XVuUjg//bC3/AzxBg6G1GSCmCwmKA3b1FrhUu0AF2jINAfb2FrvZ7jh+1DJTGhfu
lcnwg0cWMLnZF5/iwKf9MOEWuHQzhrKDldVTfI5pMZLF5p5+Spz2zxLZj2t8Tv+6
MwHGdLs3r+d9MMEo9fcPI183uukzcsMUcDlB7XgqIBAEB5IiA4+yG+iZQdhlg5oH
mTey5uRDh9LkXYYL9wmbEkLdac5feQBYa66mgJiwZyMnWXGjfkJQzSMWTU2vaziU
eGojYlj9DWyyF3BL7p/TeGcVN8g0Gqaj+2OZn5hWJ2O1Kzk0sSm+3In1unReuIXk
ULBD4sNU+rjbU5kgP6r9F1HFzqqk7NFMS4UNr4nbrtfzvbQ932e/1H0UUDneQXL6
OPch4xsq1uUqxvAZyTQpzxKXB3m9Y+3a/IeLUhVbhaU4Jcob/QFDu1FTIxZH+DFr
hCOqjsU9MUn44fdRi/ogHqC3EXlZSvGq4RpuOgeX2Dth6pGokJDwiiYRgabSRyD/
y2Wj/FU8dTNoC8HzCb0jk0BOi3nvAPmJgxC5hzmZfivOooE3DqAw/gLwYbsKJ2xV
AgJg1M44I99Oc2iDyRSJXxyGYiLswxdDHNdqP+yla00QsHKLWxsQOxYVZmRiz0rF
U+6k6CkQ/yZbazxtNFMlj3Cl7ar+lPCnvhYUpfahBcNr+3HU8JI=
=A/UY
-----END PGP SIGNATURE-----
--- End Message ---
