Package "jq"
| Name: |
jq
|
Description: |
lightweight and flexible command-line JSON processor
|
| Latest version: |
1.7.1-3ubuntu0.24.04.2 |
| Release: |
noble (24.04) |
| Level: |
security |
| Repository: |
main |
| Homepage: |
https://jqlang.github.io/jq |
Links
Download "jq"
Other versions of "jq" in Noble
Packages in group
Deleted packages are displayed in grey.
Changelog
|
jq (1.7.1-3ubuntu0.24.04.2) noble-security; urgency=medium
* SECURITY UPDATE: Heap Buffer Overflow
- debian/patches/CVE-2026-32316.patch: Fix heap buffer overflow in
`jvp_string_append` and `jvp_string_copy_replace_bad`
- CVE-2026-32316
* SECURITY UPDATE: Stack Buffer Overflow
- debian/patches/CVE-2026-33947.patch: Limit path depth to prevent
stack overflow
- CVE-2026-33947
* SECURITY UPDATE: Improper Null Termination
- debian/patches/CVE-2026-33948.patch: Fix NUL truncation in the
JSON parser
- CVE-2026-33948
* SECURITY UPDATE: Out of Bounds Read
- debian/patches/CVE-2026-39956.patch: Add runtime type checks to
f_string_indexes
- debian/patches/CVE-2026-39979.patch: Fix out-of-bounds read in
jv_parse_sized()
- CVE-2026-39956
- CVE-2026-39979
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2026-40164.patch: Randomize hash seed to
mitigate hash collision DoS attacks
- CVE-2026-40164
-- Bruce Cable <email address hidden> Mon, 20 Apr 2026 17:25:09 +1000
|
| Source diff to previous version |
| CVE-2026-32316 |
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_cop |
| CVE-2026-33947 |
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c us |
| CVE-2026-33948 |
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows v |
| CVE-2026-39956 |
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes |
| CVE-2026-39979 |
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted |
| CVE-2026-40164 |
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible s |
|
|
jq (1.7.1-3ubuntu0.24.04.1) noble-security; urgency=medium
* SECURITY UPDATE: integer overflow via signed integer limit
- debian/patches/CVE-2024-23337.patch: fix signed integer overflow in
jvp_array_write and jvp_object_rehash in src/jv.c, src/jv_aux.c,
tests/jq.test.
- CVE-2024-23337
* SECURITY UPDATE: OOB write via NaN
- debian/patches/CVE-2024-53427-1.patch: jv_number_value should cache
the double value of literal numbers in jv.c.
- debian/patches/CVE-2024-53427-2.patch: reject NaN with payload while
parsing JSON in src/jv.c, tests/jq.test, tests/shtest.
- CVE-2024-53427
* SECURITY UPDATE: heap buffer overflow
- debian/patches/CVE-2025-48060-1.patch: improve performance of
repeating strings in src/builtin.c, src/jv.c, src/jv.h,
tests/jq.test.
- debian/patches/CVE-2025-48060-2.patch: fix heap buffer overflow when
formatting an empty string in src/jv.c, tests/jq.test.
- CVE-2025-48060
-- Marc Deslauriers <email address hidden> Wed, 16 Jul 2025 09:48:44 -0400
|
| CVE-2024-23337 |
jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483 |
| CVE-2024-53427 |
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buf |
| CVE-2025-48060 |
jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_ |
|
About
-
Send Feedback to @ubuntu_updates
