UbuntuUpdates.org

Package "jq"

Name: jq

Description:

lightweight and flexible command-line JSON processor
Latest version: 1.8.1-3ubuntu1.1
Release: questing (25.10)
Level: security
Repository: main
Homepage: https://jqlang.github.io/jq

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "jq"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "jq" in Questing

Repository Area Version
base main 1.8.1-3ubuntu1
updates main 1.8.1-3ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.8.1-3ubuntu1.1 2026-04-23 07:08:14 UTC

  jq (1.8.1-3ubuntu1.1) questing-security; urgency=medium

  * SECURITY UPDATE: Heap Buffer Overflow
    - debian/patches/CVE-2026-32316.patch: Fix heap buffer overflow in
      `jvp_string_append` and `jvp_string_copy_replace_bad`
    - CVE-2026-32316
  * SECURITY UPDATE: Stack Buffer Overflow
    - debian/patches/CVE-2026-33947.patch: Limit path depth to prevent
      stack overflow
    - CVE-2026-33947
  * SECURITY UPDATE: Improper Null Termination
    - debian/patches/CVE-2026-33948.patch: Fix NUL truncation in the
      JSON parser
    - CVE-2026-33948
  * SECURITY UPDATE: Out of Bounds Read
    - debian/patches/CVE-2026-39956.patch: Add runtime type checks to
      f_string_indexes
    - debian/patches/CVE-2026-39979.patch: Fix out-of-bounds read in
      jv_parse_sized()
    - CVE-2026-39956
    - CVE-2026-39979
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-40164.patch: Randomize hash seed to
      mitigate hash collision DoS attacks
    - CVE-2026-40164

 -- Bruce Cable <email address hidden> Mon, 20 Apr 2026 17:24:54 +1000
CVE-2026-32316 jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_cop
CVE-2026-33947 jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c us
CVE-2026-33948 jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows v
CVE-2026-39956 jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes
CVE-2026-39979 jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted
CVE-2026-40164 jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible s


About   -   Send Feedback to @ubuntu_updates