Fedora alert FEDORA-2026-0eb8e878b6 (jq)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 44 Update: jq-1.8.1-3.fc44 | |
| Date: | Sat, 25 Apr 2026 01:58:51 +0000 | |
| Message-ID: | <20260425015851.D1EAD98F5A@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0eb8e878b6 2026-04-25 01:21:36.173326+00:00 -------------------------------------------------------------------------------- Name : jq Product : Fedora 44 Version : 1.8.1 Release : 3.fc44 URL : https://jqlang.org/ Summary : Command-line JSON processor Description : lightweight and flexible command-line JSON processor jq is like sed for JSON data – you can use it to slice and filter and map and transform structured data with the same ease that sed, awk, grep and friends let you play with text. It is written in portable C, and it has zero runtime dependencies. jq can mangle the data format that you have into the one that you want with very little effort, and the program to do so is often shorter and simpler than you'd expect. -------------------------------------------------------------------------------- Update Information: Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164 Fixes bug https://github.com/jqlang/jq/issues/3413 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 16 2026 Jonathan Wright <jonathan@almalinux.org> - 1.8.1-3 - Fixes multiple CVEs -------------------------------------------------------------------------------- References: [ 1 ] Bug #2458029 - CVE-2026-32316 jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458029 [ 2 ] Bug #2458368 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458368 [ 3 ] Bug #2458400 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458400 [ 4 ] Bug #2458401 - CVE-2026-33947 jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458401 [ 5 ] Bug #2458402 - CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458402 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0eb8e878b6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
Attachment: None (type=text/plain)
-- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new