info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Handle jq CVE-2023-49355, which is equal to CVE-2023-50246
4 views
Skip to first unread message
ChangZhuo Chen (陳昌倬)
Dec 16, 2023, 5:20:04 AM12/16/23
to
Hi,
I am jq maintainer, and right now CVE-2023-49355 is listed in security
tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
upstream [1], which has been fixed in 1.7.1-1 [2].
In this case, how should I handle CVE-2023-49355?
[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
I am jq maintainer, and right now CVE-2023-49355 is listed in security
tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
upstream [1], which has been fixed in 1.7.1-1 [2].
In this case, how should I handle CVE-2023-49355?
[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
ChangZhuo Chen (陳昌倬)
Dec 19, 2023, 9:40:05 PM12/19/23
to
On Tue, Dec 19, 2023 at 05:13:34PM +0100, Sylvain Beucler wrote:
> CVE-2023-49355 as a duplicate.
Submitted, thanks for the information.
> On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote:
> > I am jq maintainer, and right now CVE-2023-49355 is listed in security
> > tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
> > upstream [1], which has been fixed in 1.7.1-1 [2].
> >
> > In this case, how should I handle CVE-2023-49355?
> >
> >
> > [0] https://security-tracker.debian.org/tracker/source-package/jq
> > [1] https://github.com/jqlang/jq/issues/2986
> > [2] https://bugs.debian.org/1058763
>
> Ideally you can contact MITRE through https://cveform.mitre.org/ to mark
> > I am jq maintainer, and right now CVE-2023-49355 is listed in security
> > tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
> > upstream [1], which has been fixed in 1.7.1-1 [2].
> >
> > In this case, how should I handle CVE-2023-49355?
> >
> >
> > [0] https://security-tracker.debian.org/tracker/source-package/jq
> > [1] https://github.com/jqlang/jq/issues/2986
> > [2] https://bugs.debian.org/1058763
>
> CVE-2023-49355 as a duplicate.
Submitted, thanks for the information.
0 new messages