An update for jq is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1809 Final 1.0 1.0 2025-07-11 Initial 2025-07-11 2025-07-11 openEuler SA Tool V1.0 2025-07-11 jq security update An update for jq is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4 jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fix(es): jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue.(CVE-2024-23337) jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.(CVE-2025-48060) jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.(CVE-2025-49014) An update for jq is now available for openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High jq https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1809 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-23337 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-48060 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-49014 https://nvd.nist.gov/vuln/detail/CVE-2024-23337 https://nvd.nist.gov/vuln/detail/CVE-2025-48060 https://nvd.nist.gov/vuln/detail/CVE-2025-49014 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 jq-1.8.0-2.oe2203sp3.aarch64.rpm jq-debuginfo-1.8.0-2.oe2203sp3.aarch64.rpm jq-debugsource-1.8.0-2.oe2203sp3.aarch64.rpm jq-devel-1.8.0-2.oe2203sp3.aarch64.rpm jq-1.8.0-2.oe2203sp4.aarch64.rpm jq-debuginfo-1.8.0-2.oe2203sp4.aarch64.rpm jq-debugsource-1.8.0-2.oe2203sp4.aarch64.rpm jq-devel-1.8.0-2.oe2203sp4.aarch64.rpm jq-1.8.0-2.oe2403.aarch64.rpm jq-debuginfo-1.8.0-2.oe2403.aarch64.rpm jq-debugsource-1.8.0-2.oe2403.aarch64.rpm jq-devel-1.8.0-2.oe2403.aarch64.rpm jq-1.8.0-2.oe2403sp1.aarch64.rpm jq-debuginfo-1.8.0-2.oe2403sp1.aarch64.rpm jq-debugsource-1.8.0-2.oe2403sp1.aarch64.rpm jq-devel-1.8.0-2.oe2403sp1.aarch64.rpm jq-1.8.0-2.oe2403sp2.aarch64.rpm jq-debuginfo-1.8.0-2.oe2403sp2.aarch64.rpm jq-debugsource-1.8.0-2.oe2403sp2.aarch64.rpm jq-devel-1.8.0-2.oe2403sp2.aarch64.rpm jq-1.8.0-2.oe2003sp4.aarch64.rpm jq-debuginfo-1.8.0-2.oe2003sp4.aarch64.rpm jq-debugsource-1.8.0-2.oe2003sp4.aarch64.rpm jq-devel-1.8.0-2.oe2003sp4.aarch64.rpm jq-1.8.0-2.oe2203sp3.src.rpm jq-1.8.0-2.oe2203sp4.src.rpm jq-1.8.0-2.oe2403.src.rpm jq-1.8.0-2.oe2403sp1.src.rpm jq-1.8.0-2.oe2403sp2.src.rpm jq-1.8.0-2.oe2003sp4.src.rpm jq-1.8.0-2.oe2203sp3.x86_64.rpm jq-debuginfo-1.8.0-2.oe2203sp3.x86_64.rpm jq-debugsource-1.8.0-2.oe2203sp3.x86_64.rpm jq-devel-1.8.0-2.oe2203sp3.x86_64.rpm jq-1.8.0-2.oe2203sp4.x86_64.rpm jq-debuginfo-1.8.0-2.oe2203sp4.x86_64.rpm jq-debugsource-1.8.0-2.oe2203sp4.x86_64.rpm jq-devel-1.8.0-2.oe2203sp4.x86_64.rpm jq-1.8.0-2.oe2403.x86_64.rpm jq-debuginfo-1.8.0-2.oe2403.x86_64.rpm jq-debugsource-1.8.0-2.oe2403.x86_64.rpm jq-devel-1.8.0-2.oe2403.x86_64.rpm jq-1.8.0-2.oe2403sp1.x86_64.rpm jq-debuginfo-1.8.0-2.oe2403sp1.x86_64.rpm jq-debugsource-1.8.0-2.oe2403sp1.x86_64.rpm jq-devel-1.8.0-2.oe2403sp1.x86_64.rpm jq-1.8.0-2.oe2403sp2.x86_64.rpm jq-debuginfo-1.8.0-2.oe2403sp2.x86_64.rpm jq-debugsource-1.8.0-2.oe2403sp2.x86_64.rpm jq-devel-1.8.0-2.oe2403sp2.x86_64.rpm jq-1.8.0-2.oe2003sp4.x86_64.rpm jq-debuginfo-1.8.0-2.oe2003sp4.x86_64.rpm jq-debugsource-1.8.0-2.oe2003sp4.x86_64.rpm jq-devel-1.8.0-2.oe2003sp4.x86_64.rpm jq-help-1.8.0-2.oe2203sp3.noarch.rpm jq-help-1.8.0-2.oe2203sp4.noarch.rpm jq-help-1.8.0-2.oe2403.noarch.rpm jq-help-1.8.0-2.oe2403sp1.noarch.rpm jq-help-1.8.0-2.oe2403sp2.noarch.rpm jq-help-1.8.0-2.oe2003sp4.noarch.rpm jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. 2025-07-11 CVE-2024-23337 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H jq security update 2025-07-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1809 jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. 2025-07-11 CVE-2025-48060 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jq security update 2025-07-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1809 jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication. 2025-07-11 CVE-2025-49014 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-20.03-LTS-SP4 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L jq security update 2025-07-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1809