jq-1.8.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15233-1 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jq-1.8.1-1.1 on GA media These are all security issues fixed in the jq-1.8.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15233 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-23337/ SUSE CVE CVE-2024-23337 page https://www.suse.com/security/cve/CVE-2025-48060/ SUSE CVE CVE-2025-48060 page https://www.suse.com/security/cve/CVE-2025-49014/ SUSE CVE CVE-2025-49014 page openSUSE Tumbleweed jq-1.8.1-1.1 libjq-devel-1.8.1-1.1 libjq1-1.8.1-1.1 jq-1.8.1-1.1 as a component of openSUSE Tumbleweed libjq-devel-1.8.1-1.1 as a component of openSUSE Tumbleweed libjq1-1.8.1-1.1 as a component of openSUSE Tumbleweed jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. CVE-2024-23337 openSUSE Tumbleweed:jq-1.8.1-1.1 openSUSE Tumbleweed:libjq-devel-1.8.1-1.1 openSUSE Tumbleweed:libjq1-1.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23337.html CVE-2024-23337 https://bugzilla.suse.com/1243450 SUSE Bug 1243450 jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. CVE-2025-48060 openSUSE Tumbleweed:jq-1.8.1-1.1 openSUSE Tumbleweed:libjq-devel-1.8.1-1.1 openSUSE Tumbleweed:libjq1-1.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48060.html CVE-2025-48060 https://bugzilla.suse.com/1244116 SUSE Bug 1244116 jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication. CVE-2025-49014 openSUSE Tumbleweed:jq-1.8.1-1.1 openSUSE Tumbleweed:libjq-devel-1.8.1-1.1 openSUSE Tumbleweed:libjq1-1.8.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-49014.html CVE-2025-49014 https://bugzilla.suse.com/1245137 SUSE Bug 1245137