Mail archive

Re: [alpine-devel] Patching CVE-2016-4074 in jq

From: Leonardo Arena <>
Date: Tue, 17 Apr 2018 17:01:44 +0200


On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <>

> Hi,
> It has been brought to my attention that the current jq package in alpine
> is vulnerable to CVE-2016-4074
> <>.

thank you for bringing this to our attention. This has been now fixed in
edge. I'll see if it can be backported to stable branches too.

> The fix for this issue was released a while back on their master branch
> but no one packaged it into release. On the project website
> <> the latest jq release is 1.5, which was
> released more than two years ago. It is vulnerable to this CVE.
> It is worth mentioning someone on the project GitHub someone released
> 1.6rc1 last year and it includes the fix for this issue. You might want to
> consider packaging this release but I am not very familiar with the jq
> release process or found any documentation of it.
> The alpine jq package
> <> patches
> CVE-2015-8863 so I think it should also patch this issue for the meanwhile.
> You can see the correspondence on this issue
> <> and the fix
> <>
> .
This was fixed in 1.5-r1 package.

Best regards,


Received on Tue Apr 17 2018 - 17:01:44 UTC