Control: tags -1 + moreinfo Hi
[disclaimer: I'm not a stable release manager] On Tue, May 19, 2026 at 06:26:51PM +0800, ChangZhuo Chen (陳昌倬) wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:jq > User: [email protected] > Usertags: pu > > [ Reason ] > > Fix the following security vulnerabilities: > > * CVE-2026-40612 > * CVE-2026-41256 > * CVE-2026-41257 > * CVE-2026-43894 > * CVE-2026-43895 > * CVE-2026-43896 > * CVE-2026-44777 > > [ Impact ] > > Security vulnerabilities > > [ Tests ] > > Tested by upstream unit tests. > > [ Risks ] > > * jq has zero runtime dependencies, so it is safe to backport. > * Cherry-pick upstream patches is infeasible due to the change in > upstream. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > (Explain *all* the changes) > > [ Other info ] > (Anything else the release team should know.) > > -- > ChangZhuo Chen (陳昌倬) > callsign: BU2HG > email: [email protected] > fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B > diff -Nru jq-1.8.1/debian/changelog jq-1.8.1/debian/changelog > --- jq-1.8.1/debian/changelog 2026-05-17 01:00:50.000000000 +0800 > +++ jq-1.8.1/debian/changelog 2026-05-17 20:58:04.000000000 +0800 > @@ -1,3 +1,9 @@ > +jq (1.8.1-6~bpo13+1) trixie-backports; urgency=medium > + > + * Rebuild for trixie-backports. > + > + -- ChangZhuo Chen (陳昌倬) <[email protected]> Sun, 17 May 2026 20:58:04 +0800 It is not entirely clear here what you want to achieve. Are you proposing to backport the version from unstable to trixie itself or is this really about trixie-backports, for which then you do not need a bugreport against release.d.o. And if it is a request to backport the version from unstable to replace the version 1.7.1-6+deb13u2 in stable then I guess it needs some more clarifying. For instance then the version would be 1.8.1-6~deb13u1, but is this safe to do? Why? What about the libjq1 built and reverse dependencies (there are python bindings as python3-jq)? Regards, Salvatore
