[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108863: [discussion] unblock: jq/1.8.0-1

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: jq@packages.debian.org, team@security.debian.org, ChangZhuo Chen (陳昌倬) <czchen@debian.org>, carnil@debian.org
Control: affects -1 + src:jq
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi ChangZhuo Chen, hi release team

This is not actaully a proper unblock request. There is in unstable a
new jq version which fixes CVE-2025-48060 (the other mentioned CVEs
were already fixed earlier afaics). 

But there is now a problem. 

1. the new upstream version fails to build on i386.

2. the new upstream version 1.8.0 itself introduces a new security
issue, CVE-2025-49014.

ChangZhuo Chen, what is your take here? I see possibly two ways:

Convince release team that a version based on 1.8.0 + including the
security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or
actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060
on top.

Regards,
Salvatore
Reply to: