Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

To: ChangZhuo Chen (陳昌倬) <czchen@debian.org>, debian-security@lists.debian.org
Subject: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 19 Dec 2023 17:13:34 +0100
Message-id: <[🔎] 156c1481-b22f-4ed7-a050-b6f72c738efb@beuc.net>
In-reply-to: <[🔎] ZX14ppn425709nf5@gmail.com>
References: <[🔎] ZX14ppn425709nf5@gmail.com>

Hi,

On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote:

I am jq maintainer, and right now CVE-2023-49355 is listed in security
tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
upstream [1], which has been fixed in 1.7.1-1 [2].

In this case, how should I handle CVE-2023-49355?


[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763

Ideally you can contact MITRE through https://cveform.mitre.org/ to markCVE-2023-49355 as a duplicate.


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
  - From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

References:
- Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
  - From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>

Prev by Date: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Next by Date: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Previous by thread: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Next by thread: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Index(es):
- Date
- Thread