Debian alert DLA-4599-1 (jq)
| From: | Andreans Henriksson <andreas@fatal.se> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4599-1] jq security update | |
| Date: | Mon, 25 May 2026 10:27:36 +0200 | |
| Message-ID: | <gqt3lvkq55zscadhjjreivzsfjyc7nh3ej547ezquodyn6hbzi@4md2sy2wgkls> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4599-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Andreans Henriksson May 25, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : jq Version : 1.6-2.1+deb11u2 CVE ID : CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777 Debian Bug : 1136445 It was found that jq, a lightweight and flexible command-line JSON parser, was vulnerable to multiple memory corruption attacks, which could lead to application crashes, denial-of-service conditions, and potentially arbitrary code execution through heap corruption when parsing untrusted input. For Debian 11 bullseye, these problems have been fixed in version 1.6-2.1+deb11u2. We recommend that you upgrade your jq packages. For the detailed security status of jq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jq Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmoUB/UACgkQC8R9xk0T UwbKFw/8DPu6+xQvqnz5sNfWI5lcnsqXaw+kVP9b5/621kdl2sP+I9OaMCu6DFTr ndwJ13MQYMRdTGUQmMo6Yt6ryhKJK4poYBAM8PN8w9aEdmi5zbHnHK/NtD5Mntt9 b1nkRFKttfWYIegpTTNMr4ds3n34i2I8oEAYdUZwPGwz7VgBCkWK+QCzrIKkbd3v WGzGOgxyecmp34XSl6y70WD8w29d3Dt/rNyb9wj/m8s62q7/gF+b4Ap+1/PdoBb5 /HpaSNSFCMaysUXpy70TyEhOm2wyNhGrmLs2xbBCLttEdWw6uSZKT2O8xYh7a9sb biAbmLtyFU4fo6Oq1hRtsm+Rgw8rR+tLNATfAPD8EyHzeMx1XviDA/e8Gn3qjh2P 0GyUulCNxeB0b/qVqLmr4Z9dPh8JEoX1/tCZPnPBheNAjOXF641+7EZ9ahUIuvOe 75cgh/B3e0/seZ+rvfId4GL5BPburLhzhG0pK1A3Rkt5ix7qg8Jj/7jidmwkoL2n UEPaCwAouO+mjrhMrcp8uaC2QhoTmKhLjNmYJGlQSSusaRrAam5XKICZUiCGGmdW HRgKoVrZWnT9QZPMX1QSVgtD2A+OW4urkOc1jMwK1KNKSuSi9VtCW256TEB1U937 zZz4IjieEk2TSR2NwvJCu2Vwd3IQoTSQSc7SzVh/zP976Zdxmpw= =Lw7q -----END PGP SIGNATURE-----