Bug 32640

Summary: jq new security issues CVE-2023-50246 and CVE-2023-50268
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: jq-1.7-1.mga10.src.rpm CVE: CVE-2023-50246, CVE-2023-50268
Status comment:

Description Nicolas Salguero 2023-12-20 11:19:18 CET 
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2023/12/15/10

There are fixed in version 1.7.1 and with these commits:
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297

Mageia 9 is also affected.
Nicolas Salguero 2023-12-20 11:20:18 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.7.1
Source RPM: (none) => jq-1.7-1.mga10.src.rpm

Comment 1 Lewis Smith 2023-12-23 21:25:46 CET 
Assigning to you, David, as you put up v1.7 - very recently, in fact.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2024-01-26 15:31:22 CET 
In fact, it only affected Cauldron.

Status comment: Fixed upstream in 1.7.1 => (none)
Status: NEW => RESOLVED
CVE: (none) => CVE-2023-50246, CVE-2023-50268
Resolution: (none) => FIXED
Whiteboard: MGA9TOO => (none)