<CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
Hi, It has been brought to my attention that the current jq package in alpine is vulnerable to CVE-2016-4074 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>. The fix for this issue was released a while back on their master branch but no one packaged it into release. On the project website <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was released more than two years ago. It is vulnerable to this CVE. It is worth mentioning someone on the project GitHub someone released 1.6rc1 last year and it includes the fix for this issue. You might want to consider packaging this release but I am not very familiar with the jq release process or found any documentation of it. The alpine jq package <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches CVE-2015-8863 so I think it should also patch this issue for the meanwhile. You can see the correspondence on this issue <https://github.com/stedolan/jq/issues/1136> and the fix <https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2> . Also relevant (from the jq side): https://github.com/stedolan/jq/issues/1406 LMK if there is anything I can do by myself Thank you, Ariel Zelivansky Twistlock Security Researcher
<CAGG_d8BsZQ1O5A2-ARmX4VjZGiMBVGMH2-475+rz_7YnXoAeuQ@mail.gmail.com>
<CAMgJUL2X6tTPDJZSnciPOgL9g4p1ix1FxeqPsWniVytO9ctnow@mail.gmail.com>
(view parent)
Hi, On Tue, Apr 17, 2018 at 3:07 PM, Ariel Zelivansky <ariel@twistlock.com> wrote: > Hi, > > It has been brought to my attention that the current jq package in alpine > is vulnerable to CVE-2016-4074 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074>. > thank you for bringing this to our attention. This has been now fixed in edge. I'll see if it can be backported to stable branches too. > > The fix for this issue was released a while back on their master branch > but no one packaged it into release. On the project website > <https://stedolan.github.io/jq/> the latest jq release is 1.5, which was > released more than two years ago. It is vulnerable to this CVE. > > It is worth mentioning someone on the project GitHub someone released > 1.6rc1 last year and it includes the fix for this issue. You might want to > consider packaging this release but I am not very familiar with the jq > release process or found any documentation of it. > > The alpine jq package > <https://git.alpinelinux.org/cgit/aports/tree/main/jq/APKBUILD> patches > CVE-2015-8863 so I think it should also patch this issue for the meanwhile. > You can see the correspondence on this issue > <https://github.com/stedolan/jq/issues/1136> and the fix > <https://github.com/stedolan/jq/commit/83e2cf607f3599d208b6b3129092fa7deb2e5292#diff-6bc4fa2c743f03adaf36dcc09acaaba2> > . > > This was fixed in 1.5-r1 package. Best regards, /eo