Source: jq Version: 1.8.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for jq. CVE-2025-49014[0]: | jq is a command-line JSON processor. In version 1.8.0 a heap use | after free vulnerability exists within the function f_strflocaltime | of /src/builtin.c. This issue has been patched in commit 499c91b, no | known fix version exists at time of publication. Note, while the severity as RC is disputable to some extend, this issue is introduced in the new upstream version uploaded recently, so 1.8.0-1 should not migrate to trixie in this form ideally. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-49014 https://www.cve.org/CVERecord?id=CVE-2025-49014 [1] https://github.com/jqlang/jq/security/advisories/GHSA-rmjp-cr27-wpg2 [2] https://github.com/jqlang/jq/commit/499c91bca9d4d027833bc62787d1bb075c03680e Regards, Salvatore
