[Git][security-tracker-team/security-tracker][master] Reserve DLA-4600-1 for jq
Andreas Henriksson (@ah)
gitlab at salsa.debian.org
Mon May 25 08:56:12 BST 2026
Andreas Henriksson pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6d9832eb by Andreas Henriksson at 2026-05-25T09:56:04+02:00
Reserve DLA-4600-1 for jq
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -23627,7 +23627,6 @@ CVE-2026-40164 (jq is a command-line JSON processor. Before commit 0c7d133c3c7e3
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
NOTE: Fixed by: https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784
CVE-2026-3017 (The Smart Post Show \u2013 Post Grid, Post Carousel & Slider, and List ...)
@@ -23636,14 +23635,12 @@ CVE-2026-39979 (jq is a command-line JSON processor. In commits before 2f09060af
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
NOTE: Fixed by: https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
CVE-2026-39956 (jq is a command-line JSON processor. In commits after 69785bf77f86e2ea ...)
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28
NOTE: Fixed by: https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03
CVE-2026-39426 (MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 an ...)
@@ -23692,14 +23689,12 @@ CVE-2026-33948 (jq is a command-line JSON processor. Commits before 6374ae0bcdfe
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9
NOTE: Fixed by: https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b
CVE-2026-33947 (jq is a command-line JSON processor. In versions 1.8.1 and below, func ...)
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg
NOTE: Fixed by: https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f
CVE-2026-33908 (ImageMagick is free and open-source software used for editing and mani ...)
@@ -23965,7 +23960,6 @@ CVE-2026-32316 (jq is a command-line JSON processor. An integer overflow vulnera
- jq 1.8.1-5 (bug #1133921)
[trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
- [bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f
NOTE: Fixed by: https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5
CVE-2026-31283 (In Totara LMS v19.1.5 and before, the forgot password API does not imp ...)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,9 @@
+[25 May 2026] DLA-4600-1 jq - security update
+ {CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777}
+ [bullseye] - jq 1.6-2.1+deb11u2
+[25 May 2026] DLA-4599-1 jq - security update
+ {CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777}
+ [bullseye] - jq 1.6-2.1+deb11u2
[24 May 2026] DLA-4598-1 nodejs - security update
{CVE-2025-59465 CVE-2026-21637 CVE-2026-21714}
[bullseye] - nodejs 12.22.12~dfsg-1~deb11u8
=====================================
data/dla-needed.txt
=====================================
@@ -256,10 +256,6 @@ jackson-core (Markus Koschany)
jetty9
NOTE: 20260418: Added by Front-Desk. Fix CVE-2026-5795 maybe other (rouca)
--
-jq (ah)
- NOTE: 20260519: Added by Front-Desk (Beuc)
- NOTE: 20260519: Many postponed CVEs piled-up (Beuc/front-desk)
---
kamailio
NOTE: 20260413: Added by Front-Desk (rouca)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d9832ebbc28281f6edfed6643d355e6bf9c1c79
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d9832ebbc28281f6edfed6643d355e6bf9c1c79
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260525/e41497b1/attachment.htm>
More information about the debian-security-tracker-commits
mailing list