jq
jq copied to clipboard
jqlang
Question about release policy for security issues
There are currently 2 security issues in jq (CVE-2015-8863 and CVE-2016-4074) that are fixed in master but which are not included in any release of jq, since the release of jq 1.5 almost 2 years ago.
Why is that?
Is it a project policy to not make point releases to include security fixes? Or do you need more manpower / help / PRs to make it happen?
We're volunteers short on time. I'll see about working on a release soon. Users are welcome to use master in the meantime.
If I wanted to contribute time to make a 1.5.1 release with the security holes fixed, what steps would I have to take?
Is it sufficient to just PR a branch with the fixes, and then ask you to push a tag?
@nh2: I'd welcome that. I'd have to build binaries, sign them, make a release.
Can we please get an update and ETA on when an official release containing post-v1.5 fixes will be released? I couldn't find any info about plans or dates for any releases past 1.5 (aside from the unexplained cancellation of v1.5.1).
Given that #922, #995 have been fixed (in master) for about 2 years but not in any official release, it seems that jq v1.5.0 may be unusable for many people at this point.
Also, The use of a custom build (e.g. from a Master branch) is unfeasible or forbidden in many organizations. (E.g. Due to policy restrictions related to security, legal, and/or technical reasons.)
Given the significant risks (of data loss/corruption with #922, and security vulnerability to DoS attacks with #995) involved in using jq without these fixes, combined with the lack (for at least some) of any solution other than an official jq release, it would be great to know when such a release might be expected to be available. Thanks!
It's mostly waiting on me to find the time to finalize a release, to be frank. I'd like to get around to it very soon, though.
On Wed, Sep 20, 2017, 14:35 Justin W. [email protected] wrote:
Can we please get an update and ETA on when an official release containing post-v1.5 fixes will be released? I couldn't find any info about plans or dates for any releases past 1.5 (aside from the unexplained cancellation of v1.5.1).
Given that #922 https://github.com/stedolan/jq/issues/922, #995 https://github.com/stedolan/jq/issues/995 have been fixed (in master) for about 2 years but not in any official release, it seems that jq v1.5.0 may be unusable for many people at this point.
Also, The use of a custom build (e.g. from a Master branch) is unfeasible or forbidden in many organizations. (E.g. Due to policy restrictions related to security, legal, and/or technical reasons.)
Given the significant risks (of data loss/corruption with #922 https://github.com/stedolan/jq/issues/922, and security vulnerability to DoS attacks with #995 https://github.com/stedolan/jq/issues/995) involved in using jq without these fixes, combined with the lack (for at least some) of any solution other than an official jq release, it would be great to know when such a release might be expected to be available. Thanks!
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/stedolan/jq/issues/1406#issuecomment-330942128, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQ4VwU7y8GKDfIMFhls5GtuBKblcy-xks5skVr_gaJpZM4NS-e- .
@wtlangford, if you add your PGP fingerprint to https://github.com/stedolan/jq/blob/master/KEYS I will encrypt and send you the release signing key and instructions for signing release binaries.
What is the status on a 1.5.1 release? Would love to continue to use the library, but
https://nvd.nist.gov/vuln/detail/CVE-2015-8863
is blocking that. Thanks!
@nicowilliams @dtolnay @wtlangford Thanks for moving this forward as best you can. Is there any effort to continue with the 1.6 release (from rc1 last December)??
I see this is now marked as fixed in edge, at version 1.6-rc0 there (which by byte count differs from latest-stable). Unfortunately, when running a scan vs CVE it states this is only fixed in a yet-to-be released 1.6-rc1 version, so continues to complain. Is it policy to bump rc versions when releasing? eg:
Found 1 vulnerabilities
High: 1
CVE-2016-4074: [High]
Found in: jq [1.5-r1]
Fixed By: 1.6_rc1-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074
-----------------------------------------
https://github.com/stedolan/jq/releases/tag/jq-1.6 has been released for almost a year now and contains all the changes in 1.6-rc1. We don't move the tags for the release candidates after they're made, as they're just tags on master, but that also means that anything after that tag will also have the fixes.
I wonder if your tool is having a hard time telling that 1.6 contains the changes in 1.6-rc1?
Anything to be done to the fact that in alpine 3.10 the version is still reported as 1.6-r0 instead of 1.6 then?
bash-5.0# apk info jq
jq-1.6-r0 description:
A lightweight and flexible command-line JSON processor
jq-1.6-r0 webpage:
http://stedolan.github.io/jq/
jq-1.6-r0 installed size:
565248
https://pkgs.alpinelinux.org/packages?name=jq&branch=v3.10&repo=main
Scanner we use is Clair (default provided by Gitlab CI).
Maybe to add: it seems that most scanners detect this problem and still report the jq has an open CVE in the latest alpine. Scanner I tested:
- AWS ECR scan
- Trivy
- Clair
Problem here is that alpine 3.11 still reports using jq version 1.6-r0, where only edge is reportedly using version 1.6-r1.
I guess this is an alpine problem, and not really jq? 1.6 has been out since nov 2018 already...
I solved it by installing curl on the image and pulling the binary directly into the image.
curl -OL https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /tmp/jq-linux64 && chmod a+x /tmp/jq-linux64 && mv /tmp/jq-linux64 /usr/bin/jq
Gets through the ECR scans now.
@praveenchandran thanks for this. There is a typo in your command. Curl should use either -o or -O. So the command should be
curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /tmp/jq-linux64 && chmod a+x /tmp/jq-linux64 && mv /tmp/jq-linux64 /usr/bin/jq
