Your message dated Thu, 02 Jul 2026 07:36:07 +0100
with message-id 
<aa5bd29484609a30e7eaf2728702a43bd12aa501.ca...@adam-barratt.org.uk>
and subject line Re: Bug#1137088: bookworm-pu: package jq/1.8.1-6~bpo12+1
has caused the Debian Bug report #1137088,
regarding bookworm-pu: package jq/1.8.1-6~bpo12+1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1137088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137088
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:jq
User: [email protected]
Usertags: pu

[ Reason ]

Fix the following security vulnerabilities:

* CVE-2026-40612
* CVE-2026-41256
* CVE-2026-41257
* CVE-2026-43894
* CVE-2026-43895
* CVE-2026-43896
* CVE-2026-44777
* CVE-2026-32316
* CVE-2026-33947
* CVE-2026-33948
* CVE-2026-39956
* CVE-2026-39979
* CVE-2026-40164
* CVE-2025-49014
* CVE-2024-23337
* CVE-2024-53427
* CVE-2025-48060
* CVE-2023-50246
* CVE-2023-50268

[ Impact ]

Security vulnerabilities

[ Tests ]

Tested by upstream unit tests.

[ Risks ]

* jq has zero runtime dependencies, so it is safe to backport.
* Cherry-pick upstream patches is infeasible due to the change in
  upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)

[ Other info ]
(Anything else the release team should know.)

-- 
ChangZhuo Chen (陳昌倬)
callsign: BU2HG
email: [email protected]
fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
On Fri, 2026-05-22 at 22:54 +0100, Jonathan Wiltshire wrote:
> Control: tag -1 moreinfo
> 
> Hi,
> 
> You have prepared a package for backports, not for the stable release
> of bookworm. Please consult devref.
> 
> I do not understand how adding a dependency on tzdata on its own
> fixes that long list of security issues?

The diff was relative to unstable, where the security issues were
resolved - I assume the additional dependency was therefore necessary
in order to make the backported package build in bookworm.

A number of the CVEs listed are also already fixed in bookworm, some
long before this request was filed.

As there was no response from the submitter, and this request appears
to have clearly been misfiled, I'm closing it now.

Regards,

Adam

--- End Message ---

Reply via email to