- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- ChangZhuo Chen
- Date:
- 2026-05-22 18:55:01 UTC
- Severity:
- normal
- Tags:
[ Reason ] Fix the following security vulnerabilities: * CVE-2026-40612 * CVE-2026-41256 * CVE-2026-41257 * CVE-2026-43894 * CVE-2026-43895 * CVE-2026-43896 * CVE-2026-44777 [ Impact ] Security vulnerabilities [ Tests ] Tested by upstream unit tests. [ Risks ] * jq has zero runtime dependencies, so it is safe to backport. * Cherry-pick upstream patches is infeasible due to the change in upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] (Explain *all* the changes) [ Other info ] (Anything else the release team should know.)
Hi [disclaimer: I'm not a stable release manager] It is not entirely clear here what you want to achieve. Are you proposing to backport the version from unstable to trixie itself or is this really about trixie-backports, for which then you do not need a bugreport against release.d.o. And if it is a request to backport the version from unstable to replace the version 1.7.1-6+deb13u2 in stable then I guess it needs some more clarifying. For instance then the version would be 1.8.1-6~deb13u1, but is this safe to do? Why? What about the libjq1 built and reverse dependencies (there are python bindings as python3-jq)? Regards, Salvatore