Security update for jq

SUSE Security Update: Security update for jq
Announcement ID: SUSE-SU-2017:2950-1
Rating: moderate
References: #1014176 #1017157
Affected Products:
  • SUSE Enterprise Storage 4

  • An update that solves one vulnerability and has one errata is now available.


    This update for jq fixes the following issues:

    Security issues fixed:

    - CVE-2016-4074: The jv_dump_term function in jq allowed remote attackers
    to cause a denial of service (stack consumption and application crash)
    via a crafted JSON file. (bsc#1014176)

    Non-security issues fixed:

    - Update tests dependencies to increase test coverage. (bsc#1017157)
    - Do not run tests in qemu builds, valgrind does not work reliably in such

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Enterprise Storage 4:
      zypper in -t patch SUSE-Storage-4-2017-1830=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Enterprise Storage 4 (aarch64 x86_64):
      • jq-1.5-3.5.7
      • jq-debuginfo-1.5-3.5.7
      • jq-debugsource-1.5-3.5.7
      • libjq1-1.5-3.5.7
      • libjq1-debuginfo-1.5-3.5.7