Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

To: Sylvain Beucler <beuc@beuc.net>
Cc: ChangZhuo Chen (陳昌倬) <czchen@debian.org>, debian-security@lists.debian.org
Subject: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
Date: Wed, 20 Dec 2023 10:36:28 +0800
Message-id: <[🔎] ZYJTLGv5WsCf5uoQ@gmail.com>
In-reply-to: <[🔎] 156c1481-b22f-4ed7-a050-b6f72c738efb@beuc.net>
References: <[🔎] ZX14ppn425709nf5@gmail.com> <[🔎] 156c1481-b22f-4ed7-a050-b6f72c738efb@beuc.net>

On Tue, Dec 19, 2023 at 05:13:34PM +0100, Sylvain Beucler wrote:
> On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote:
> > I am jq maintainer, and right now CVE-2023-49355 is listed in security
> > tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
> > upstream [1], which has been fixed in 1.7.1-1 [2].
> > 
> > In this case, how should I handle CVE-2023-49355?
> > 
> > 
> > [0] https://security-tracker.debian.org/tracker/source-package/jq
> > [1] https://github.com/jqlang/jq/issues/2986
> > [2] https://bugs.debian.org/1058763
> 
> Ideally you can contact MITRE through https://cveform.mitre.org/ to mark
> CVE-2023-49355 as a duplicate.

Submitted, thanks for the information.


-- 
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790  8793 CC65 B0CD EC27 5D5B

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
  - From: ChangZhuo Chen (陳昌倬) <czchen@debian.org>
- Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Next by Date: Re: Reaction to potential PGP schism
Previous by thread: Re: Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
Next by thread: libssh CVE-2023-6004, CVE-2023-6918, CVE-2023-48795
Index(es):
- Date
- Thread