Package: release.debian.org Severity: normal X-Debbugs-Cc: j...@packages.debian.org, t...@security.debian.org, ChangZhuo Chen (陳昌倬) <czc...@debian.org>, car...@debian.org Control: affects -1 + src:jq User: release.debian....@packages.debian.org Usertags: unblock
Hi ChangZhuo Chen, hi release team This is not actaully a proper unblock request. There is in unstable a new jq version which fixes CVE-2025-48060 (the other mentioned CVEs were already fixed earlier afaics). But there is now a problem. 1. the new upstream version fails to build on i386. 2. the new upstream version 1.8.0 itself introduces a new security issue, CVE-2025-49014. ChangZhuo Chen, what is your take here? I see possibly two ways: Convince release team that a version based on 1.8.0 + including the security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060 on top. Regards, Salvatore
