#1137085 trixie-pu: package jq/1.8.1-6~bpo13+1

#1137085#5
Date:
2026-05-19 10:26:51 UTC
From:
To:
[ Reason ]

Fix the following security vulnerabilities:

* CVE-2026-40612
* CVE-2026-41256
* CVE-2026-41257
* CVE-2026-43894
* CVE-2026-43895
* CVE-2026-43896
* CVE-2026-44777

[ Impact ]

Security vulnerabilities

[ Tests ]

Tested by upstream unit tests.

[ Risks ]

* jq has zero runtime dependencies, so it is safe to backport.
* Cherry-pick upstream patches is infeasible due to the change in
  upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)

[ Other info ]
(Anything else the release team should know.)

#1137085#12
Date:
2026-05-22 18:53:44 UTC
From:
To:
Hi

[disclaimer: I'm not a stable release manager]

It is not entirely clear here what you want to achieve. Are you
proposing to backport the version from unstable to trixie itself or is
this really about trixie-backports, for which then you do not need a
bugreport against release.d.o.

And if it is a request to backport the version from unstable to
replace the version 1.7.1-6+deb13u2 in stable then I guess it needs
some more clarifying. For instance then the version would be
1.8.1-6~deb13u1, but is this safe to do? Why? What about the libjq1
built and reverse dependencies (there are python bindings as
python3-jq)?

Regards,
Salvatore