Bug#1108863: marked as done (unblock: jq/1.7.1-6+deb13u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 8 Jul 2025 18:33:08 +0200
with message-id <aG1IRAATNBvgddpy@ramacher.at>
and subject line Re: Bug#1108863: [discussion] unblock: jq/1.8.0-1
has caused the Debian Bug report #1108863,
regarding unblock: jq/1.7.1-6+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108863
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: [discussion] unblock: jq/1.8.0-1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 06 Jul 2025 15:28:25 +0200
• Message-id: <[🔎] 175180850578.3488914.7154766725164095947.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: jq@packages.debian.org, team@security.debian.org, ChangZhuo Chen (陳昌倬) <czchen@debian.org>, carnil@debian.org
Control: affects -1 + src:jq
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi ChangZhuo Chen, hi release team

This is not actaully a proper unblock request. There is in unstable a
new jq version which fixes CVE-2025-48060 (the other mentioned CVEs
were already fixed earlier afaics). 

But there is now a problem. 

1. the new upstream version fails to build on i386.

2. the new upstream version 1.8.0 itself introduces a new security
issue, CVE-2025-49014.

ChangZhuo Chen, what is your take here? I see possibly two ways:

Convince release team that a version based on 1.8.0 + including the
security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or
actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060
on top.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: ChangZhuo Chen <czchen@debian.org>, 1108863-done@bugs.debian.org
• Subject: Re: Bug#1108863: [discussion] unblock: jq/1.8.0-1
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Tue, 8 Jul 2025 18:33:08 +0200
• Message-id: <aG1IRAATNBvgddpy@ramacher.at>
• In-reply-to: <[🔎] aGzCDI9Gv4M8W8r5@gmail.com>
• References: <[🔎] 175180850578.3488914.7154766725164095947.reportbug@eldamar.lan> <[🔎] 175180850578.3488914.7154766725164095947.reportbug@eldamar.lan> <[🔎] aGrL6BSTkWiHKuZV@ramacher.at> <[🔎] aGvmpVKcp9SRKIBl@gmail.com> <[🔎] aGv4wfDzPde_75-3@gmail.com> <[🔎] aGyycILD4DxRR1zq@ramacher.at> <[🔎] 175180850578.3488914.7154766725164095947.reportbug@eldamar.lan> <[🔎] aGzCDI9Gv4M8W8r5@gmail.com>

On 2025-07-08 15:00:28 +0800, ChangZhuo Chen (陳昌倬) wrote:
> Control: tags -1 - moreinfo
> 
> On Tue, Jul 08, 2025 at 07:53:52AM +0200, Sebastian Ramacher wrote:
> > Please go ahead with this upload. Please remove the moreinfo tag after
> > the upload.
> 
> I have uploaded the package.

Thanks, unblocked.

Cheers
-- 
Sebastian Ramacher

--- End Message ---