On 2025-07-06 15:28:25 +0200, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: j...@packages.debian.org, t...@security.debian.org, ChangZhuo > Chen (陳昌倬) <czc...@debian.org>, car...@debian.org > Control: affects -1 + src:jq > User: release.debian....@packages.debian.org > Usertags: unblock > > Hi ChangZhuo Chen, hi release team > > This is not actaully a proper unblock request. There is in unstable a > new jq version which fixes CVE-2025-48060 (the other mentioned CVEs > were already fixed earlier afaics). > > But there is now a problem. > > 1. the new upstream version fails to build on i386. > > 2. the new upstream version 1.8.0 itself introduces a new security > issue, CVE-2025-49014. > > ChangZhuo Chen, what is your take here? I see possibly two ways: > > Convince release team that a version based on 1.8.0 + including the > security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or > actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060 > on top.
I think a targetted fix on top of 1.7.1 would be more appropriate. I don't expect all of " 190 files changed, 30175 insertions(+), 24688 deletions(-)" is needed to fix CVE-2025-49104. Cheers > > Regards, > Salvatore -- Sebastian Ramacher
