Forum: >>> Magnum BBS <<<

Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

From ChangZhuo Chen =?utf-8?B?KOmZs+aYjO@21:1/5 to All on Sat Dec 16 11:20:01 2023

Hi,

I am jq maintainer, and right now CVE-2023-49355 is listed in security
tracker [0]. However, this CVE is equal to CVE-2023-50246 according to
upstream [1], which has been fixed in 1.7.1-1 [2].

In this case, how should I handle CVE-2023-49355?

[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763

--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmV9eKEACgkQzGWwzewn XVuOKw/9H9uMKuMRbsrFoKj/fZyAzp9FDNd0RTlbQGii0kSgf+IB9YDrhUASibZI PV2EVk6r+L1hZsDBuU9GfbhVhD1UfFq8zXfmvB4thTOi2ahqGGP33TYns6bkaK0G In4N5+SVem6/5rGA3cYLAlnf5Tr2Ooazh2OQGc5hdD/IjIIkl87bSwtJTQQ+CS3s pTQgCRIQPwPVpDPlaSrojGLMmhGzHKZzLWhKxfCsVWVua4vKTwc3QZ4urbLx8bk6 prvspzuLX1s9jvSitXHYb1+cnylKNoRcrriKjtotnR5P0hjNDl1GPyztwpV6latw s0EC1p5MlM9xmLQbjfTIVKk1Q346sEb8saPs8XLSPdxYNo7Y+wtrtyBQt9ZeG1Os vcUsa2EOadyBPe8KOuCtRi/NoI5onxu+SW6G4gieeAQmiJt7GfsMAcYARst9zWtM lEpzTJuZXcOT6ipfcJNhW+aq2QIsOJnnFEO1D6N96xvqVka3SUCSx1Qw8ufzejxS di5VD1E4bS98sFtpq6sIXeDnNzvBq96lMQmaANdGndrkV1IQprKEJbt6ktYs+U9d h3bVtoIkjicbS2gxN2eFe9dWgk5BdTt7zPqwqQ6dcQt7NCyPg20KCYy6TBhp++Ai Eixcbau+CEanIfQlsdfrJAppRtjHBOKWv2NNtIDFM8EEZZRFUVQ=
=jcSd
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxN

From ChangZhuo Chen =?utf-8?B?KOmZs+aYjO@21:1/5 to Sylvain Beucler on Wed Dec 20 03:40:02 2023

On Tue, Dec 19, 2023 at 05:13:34PM +0100, Sylvain Beucler wrote:

On 16/12/2023 11:15, ChangZhuo Chen (陳昌倬) wrote:

I am jq maintainer, and right now CVE-2023-49355 is listed in security tracker [0]. However, this CVE is equal to CVE-2023-50246 according to upstream [1], which has been fixed in 1.7.1-1 [2].

In this case, how should I handle CVE-2023-49355?

[0] https://security-tracker.debian.org/tracker/source-package/jq
[1] https://github.com/jqlang/jq/issues/2986
[2] https://bugs.debian.org/1058763

Ideally you can contact MITRE through https://cveform.mitre.org/ to mark CVE-2023-49355 as a duplicate.

Submitted, thanks for the information.

--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmWCUycACgkQzGWwzewn XVsIvA//Rv5Y/WmLbj8HTWJv59PQYOcj+r1uCjDnTnQYZriaDYpbUUNul6ZvT1HH 3GhRVF4+wLmZFJueiPrDDBsY+dQK/nYvOLrHNp2E7ucndF/YpYKQL0linc19tKM7 mlp60NZih0Q6twQqhS0KR3RWyMM7Q6OWcul9ZYVn5Yz4LH70gm8bW7QmL+2nZBlE 3KVfB5W7waF5hkKEEqP4BYlYykGxpINZlTQg/POdODLyF1iDufY/2qKM51+MQ4bm DgYnr6R6CH7Nr1VszoCqLM6OArslEjrCG53BfPo49cMoH09n0dzTqrWIfBDYCorH aL02PKYeNGL2XZlDJVFdR31Clu00VB2BCDUwAet+CN8N/7uoxK/bjw9No83KzRei fLXcrhWYMLwRGUnXX+4GnBN8IW0jHfda8p9W5TSXo0yzdASt18wMFRIUIWRvaLgq 0AJCxoHU9ud7jBfnO9iuxXQ91h/iB5numt32ZpM7QOgicSkE/+/FFDS2iuwuXIVq 2LAVHjPggyk2u2CI9BiZ9AdvycdSK1U56JmvXGO0xVP80TuQtxo2xQcVdhaaxVZr Ganm8FadfmL4lDOEUONVaacB8KxQ+0N6PrsQAzZpvOIO2GuDGOX8GMPQ24RZ4fEQ RtYOTbpkVh+MEElvHqgHw0/BejaK1yC0ah3IvpLhR2y45/bj2qM=
=Bvl6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxN

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	297
Nodes:	16 (2 / 14)
Uptime:	10:47:25
Calls:	6,666
Files:	12,213
Messages:	5,336,371

Handle jq CVE-2023-49355, which is equal to CVE-2023-50246

Who's Online

System Info