Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

To: debian-security@lists.debian.org
Subject: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Date: Sat, 16 Dec 2023 18:15:02 +0800
Message-id: <[🔎] ZX14ppn425709nf5@gmail.com>

Hi,

I am jq maintainer, and right now CVE-2023-49355 is listed in security
tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
upstream [1], which has been fixed in 1.7.1-1 [2].

In this case, how should I handle CVE-2023-49355?


[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763

-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Reaction to potential PGP schism
Next by Date: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Previous by thread: Re: Reaction to potential PGP schism
Next by thread: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Index(es):
- Date
- Thread