Re: [alpine-devel] Patching CVE-2016-4074 in jq
On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <ariel_at_twistlock.com>
> It has been brought to my attention that the current jq package in alpine
> is vulnerable to CVE-2016-4074
thank you for bringing this to our attention. This has been now fixed in
edge. I'll see if it can be backported to stable branches too.
> The fix for this issue was released a while back on their master branch
> but no one packaged it into release. On the project website
> <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was
> released more than two years ago. It is vulnerable to this CVE.
> It is worth mentioning someone on the project GitHub someone released
> 1.6rc1 last year and it includes the fix for this issue. You might want to
> consider packaging this release but I am not very familiar with the jq
> release process or found any documentation of it.
> The alpine jq package
> <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches
> CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
> You can see the correspondence on this issue
> <https://github.com/stedolan/jq/issues/1136> and the fix
This was fixed in 1.5-r1 package.
Received on Tue Apr 17 2018 - 17:01:44 GMT