Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jq for openSUSE:Factory checked in at 2026-06-27 18:03:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jq (Old) and /work/SRC/openSUSE:Factory/.jq.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jq" Sat Jun 27 18:03:23 2026 rev:23 rq:1361566 version:1.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/jq/jq.changes 2026-05-24 19:35:19.430467391 +0200 +++ /work/SRC/openSUSE:Factory/.jq.new.11887/jq.changes 2026-06-27 18:03:38.719036842 +0200 @@ -1,0 +2,93 @@ +Sun Jun 21 16:30:40 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 1.8.2 + Security fixes + * CVE-2026-32316: Fix heap buffer overflow in jvp_string_append + and jvp_string_copy_replace_bad. + * CVE-2026-33947: Limit path depth to prevent stack overflow in + jv_setpath, jv_getpath, jv_delpaths. + * CVE-2026-33948: Fix NUL truncation in the JSON parser. + * CVE-2026-39956: Fix _strindices missing runtime type checks. + * CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). + * CVE-2026-40164: Randomize hash seed to mitigate hash collision + DoS attacks. + * CVE-2026-40612: Limit containment check depth to prevent stack + overflow in contains. + * CVE-2026-41256: Fix NUL truncation in program files loaded + with -f. + * CVE-2026-41257: Fix signed-int overflow in stack_reallocate. + * CVE-2026-43894: Reject numeric literals longer than + DEC_MAX_DIGITS (999999999). + * CVE-2026-43895: Reject embedded NUL bytes in module import + paths. + * CVE-2026-43896: Limit recursive object merge depth to prevent + stack overflow. + * CVE-2026-44777: Detect circular module imports to prevent + stack overflow. + * CVE-2026-47770: Guard deep structural equality and comparison + recursion. + * CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. + * CVE-2026-54679: Tighten string length bounds and propagate + invalid jv in implode. + * GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array + argument path. + * GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to + prevent buffer overflow. + * Limit the number of function parameters and definitions to + prevent SEGV. + * Pre-allocate tokenbuf for string parser to avoid undefined + behavior. + * Avoid stack overflow when freeing deeply nested values. + * Fix memory leaks and double frees. + Releasing + * Update GPG signing key. + CLI changes + * Improve error message truncation with closing delimiters. + * Remove extra space from die function output. + * Fix raw input flag not to corrupt multi-byte characters. + * Fix crash when importing a module with errors twice. + * Increase the maximum printing depth from 256 to 10000. + Changes to existing functions + * Fix rtrimstr("") always outputting "". + * Fix infinite loop and undefined behavior in del(.[nan]). + * Refactor @uri and @urid to fix multi-byte UTF-8 corruption. + * Fix tonumber and toboolean to reject strings with embedded + null bytes. + * Fix undefined behavior in modulo operator. + * Fix reversed pointer subtraction in f_env bounds check. + * Fix missing validity check in f_strflocaltime after + f_localtime. + * Fix year 2038 problem on 32-bit platforms. + * Use // instead of //= in from_entries definition. + Build and test changes + * Drop strptime test using non-portable %F. + * Limit oniguruma depth to 1024 in jq_fuzz_execute. + * Fix localization test for time formatting functions. + * Fix expected value assertion. + * Fix typo in tests/jq.test. + * Refactor tm2jv to handle fractional seconds. + * Fix jq_fuzz_parse_stream: use iterative parser API for + streaming mode. + * Fix crashes and resource leaks in jq_testsuite. + * Support building with --disable-maintainer-mode and + source != build dir. + * Respect SOURCE_DATE_EPOCH while generating man page. + * Fix undefined pointer arithmetic in UTF-8 helpers. + * Fix one-byte over-read in BASE64_DECODE_TABLE. +- Drop not longer needed patches: + * CVE-2026-32316.patch + * CVE-2026-33947.patch + * CVE-2026-33948.patch + * CVE-2026-39956.patch + * CVE-2026-39979.patch + * CVE-2026-40164.patch + * CVE-2026-40612.patch + * CVE-2026-41256.patch + * CVE-2026-41257.patch + * CVE-2026-43894.patch + * CVE-2026-43895.patch + * CVE-2026-43896.patch + * CVE-2026-44777_0.patch + * CVE-2026-44777_1.patch + +------------------------------------------------------------------- Old: ---- CVE-2026-32316.patch CVE-2026-33947.patch CVE-2026-33948.patch CVE-2026-39956.patch CVE-2026-39979.patch CVE-2026-40164.patch CVE-2026-40612.patch CVE-2026-41256.patch CVE-2026-41257.patch CVE-2026-43894.patch CVE-2026-43895.patch CVE-2026-43896.patch CVE-2026-44777_0.patch CVE-2026-44777_1.patch jq-1.8.1.tar.gz New: ---- jq-1.8.2.tar.gz ----------(Old B)---------- Old:- Drop not longer needed patches: * CVE-2026-32316.patch * CVE-2026-33947.patch Old: * CVE-2026-32316.patch * CVE-2026-33947.patch * CVE-2026-33948.patch Old: * CVE-2026-33947.patch * CVE-2026-33948.patch * CVE-2026-39956.patch Old: * CVE-2026-33948.patch * CVE-2026-39956.patch * CVE-2026-39979.patch Old: * CVE-2026-39956.patch * CVE-2026-39979.patch * CVE-2026-40164.patch Old: * CVE-2026-39979.patch * CVE-2026-40164.patch * CVE-2026-40612.patch Old: * CVE-2026-40164.patch * CVE-2026-40612.patch * CVE-2026-41256.patch Old: * CVE-2026-40612.patch * CVE-2026-41256.patch * CVE-2026-41257.patch Old: * CVE-2026-41256.patch * CVE-2026-41257.patch * CVE-2026-43894.patch Old: * CVE-2026-41257.patch * CVE-2026-43894.patch * CVE-2026-43895.patch Old: * CVE-2026-43894.patch * CVE-2026-43895.patch * CVE-2026-43896.patch Old: * CVE-2026-43895.patch * CVE-2026-43896.patch * CVE-2026-44777_0.patch Old: * CVE-2026-43896.patch * CVE-2026-44777_0.patch * CVE-2026-44777_1.patch Old: * CVE-2026-44777_0.patch * CVE-2026-44777_1.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jq.spec ++++++ --- /var/tmp/diff_new_pack.9GuvGU/_old 2026-06-27 18:03:39.915076936 +0200 +++ /var/tmp/diff_new_pack.9GuvGU/_new 2026-06-27 18:03:39.919077070 +0200 @@ -1,7 +1,6 @@ # # spec file for package jq # -# Copyright (c) 2026 SUSE LLC # Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -19,27 +18,13 @@ %define jq_sover 1 Name: jq -Version: 1.8.1 +Version: 1.8.2 Release: 0 Summary: A lightweight and flexible command-line JSON processor License: CC-BY-3.0 AND MIT Group: Productivity/Text/Utilities URL: https://github.com/jqlang Source: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Patch0: CVE-2026-33948.patch -Patch1: CVE-2026-32316.patch -Patch2: CVE-2026-33947.patch -Patch3: CVE-2026-39956.patch -Patch4: CVE-2026-39979.patch -Patch5: CVE-2026-40164.patch -Patch6: CVE-2026-40612.patch -Patch7: CVE-2026-41256.patch -Patch8: CVE-2026-41257.patch -Patch9: CVE-2026-43894.patch -Patch10: CVE-2026-43895.patch -Patch11: CVE-2026-43896.patch -Patch12: CVE-2026-44777_0.patch -Patch13: CVE-2026-44777_1.patch BuildRequires: chrpath BuildRequires: pkgconfig BuildRequires: pkgconfig(oniguruma) ++++++ jq-1.8.1.tar.gz -> jq-1.8.2.tar.gz ++++++ ++++ 15343 lines of diff (skipped)
