Jq: Question about release policy for security issues

We're volunteers short on time. I'll see about working on a release soon. Users are welcome to use master in the meantime.

If I wanted to contribute time to make a 1.5.1 release with the security holes fixed, what steps would I have to take?

Is it sufficient to just PR a branch with the fixes, and then ask you to push a tag?

@nh2: I'd welcome that. I'd have to build binaries, sign them, make a release.

Can we please get an update and ETA on when an official release containing post-v1.5 fixes will be released? I couldn't find any info about plans or dates for any releases past 1.5 (aside from the unexplained cancellation of v1.5.1).

Given that #922, #995 have been fixed (in master) for about 2 years but not in any official release, it seems that jq v1.5.0 may be unusable for many people at this point.

Also, The use of a custom build (e.g. from a Master branch) is unfeasible or forbidden in many organizations. (E.g. Due to policy restrictions related to security, legal, and/or technical reasons.)

Given the significant risks (of data loss/corruption with #922, and security vulnerability to DoS attacks with #995) involved in using jq without these fixes, combined with the lack (for at least some) of any solution other than an official jq release, it would be great to know when such a release might be expected to be available. Thanks!

It's mostly waiting on me to find the time to finalize a release, to be
frank. I'd like to get around to it very soon, though.

On Wed, Sep 20, 2017, 14:35 Justin W. notifications@github.com wrote:

Can we please get an update and ETA on when an official release containing
post-v1.5 fixes will be released? I couldn't find any info about plans or
dates for any releases past 1.5 (aside from the unexplained cancellation of
v1.5.1).

Given that #922 https://github.com/stedolan/jq/issues/922, #995
https://github.com/stedolan/jq/issues/995 have been fixed (in master)
for about 2 years but not in any official release, it seems that jq v1.5.0
may be unusable for many people at this point.

Also, The use of a custom build (e.g. from a Master branch) is unfeasible
or forbidden in many organizations. (E.g. Due to policy restrictions
related to security, legal, and/or technical reasons.)

Given the significant risks (of data loss/corruption with #922
https://github.com/stedolan/jq/issues/922, and security vulnerability
to DoS attacks with #995 https://github.com/stedolan/jq/issues/995)
involved in using jq without these fixes, combined with the lack (for at
least some) of any solution other than an official jq release, it would be
great to know when such a release might be expected to be available. Thanks!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/stedolan/jq/issues/1406#issuecomment-330942128, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ADQ4VwU7y8GKDfIMFhls5GtuBKblcy-xks5skVr_gaJpZM4NS-e-
.

@wtlangford, if you add your PGP fingerprint to https://github.com/stedolan/jq/blob/master/KEYS I will encrypt and send you the release signing key and instructions for signing release binaries.

What is the status on a 1.5.1 release? Would love to continue to use the library, but

https://nvd.nist.gov/vuln/detail/CVE-2015-8863

is blocking that. Thanks!

@nicowilliams @dtolnay @wtlangford Thanks for moving this forward as best you can. Is there any effort to continue with the 1.6 release (from rc1 last December)??

I see this is now marked as fixed in edge, at version 1.6-rc0 there (which by byte count differs from latest-stable). Unfortunately, when running a scan vs CVE it states this is only fixed in a yet-to-be released 1.6-rc1 version, so continues to complain. Is it policy to bump rc versions when releasing?
eg:
```Got results from Clair API v1
Found 1 vulnerabilities
High: 1

CVE-2016-4074: [High]
Found in: jq [1.5-r1]
Fixed By: 1.6_rc1-r0

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4074

```

https://github.com/stedolan/jq/releases/tag/jq-1.6 has been released for almost a year now and contains all the changes in 1.6-rc1.
We don't move the tags for the release candidates after they're made, as they're just tags on master, but that also means that anything after that tag will also have the fixes.

I wonder if your tool is having a hard time telling that 1.6 contains the changes in 1.6-rc1?

Anything to be done to the fact that in alpine 3.10 the version is still reported as 1.6-r0 instead of 1.6 then?

bash-5.0# apk info jq
jq-1.6-r0 description:
A lightweight and flexible command-line JSON processor

jq-1.6-r0 webpage:
http://stedolan.github.io/jq/

jq-1.6-r0 installed size:
565248

https://pkgs.alpinelinux.org/packages?name=jq&branch=v3.10&repo=main

Scanner we use is Clair (default provided by Gitlab CI).

Maybe to add:
it seems that most scanners detect this problem and still report the jq has an open CVE in the latest alpine.
Scanner I tested:

• AWS ECR scan
• Trivy
• Clair

Problem here is that alpine 3.11 still reports using jq version 1.6-r0, where only edge is reportedly using version 1.6-r1.

I guess this is an alpine problem, and not really jq? 1.6 has been out since nov 2018 already...

I solved it by installing curl on the image and pulling the binary directly into the image.

curl -OL https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /tmp/jq-linux64 && chmod a+x /tmp/jq-linux64 && mv /tmp/jq-linux64 /usr/bin/jq

Gets through the ECR scans now.