An update for jq is now available for Red Hat Enterprise Linux OpenStackPlatform 6.0 (Juno) for RHEL 7.Red Hat Product Security has rated this update as having a security impact ofModerate.
A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
jq is a lightweight and flexible command-line JSON processor. jq is like sed forJSON data. You can use it to slice, filter, map, or transform structured datawith the same ease that sed, awk, grep, or similar applications allow you tomanipulate text.Security Fix(es):* A heap-based buffer overflow flaw was found in jq’s tokenadd() function.
Bytricking a victim into processing a specially crafted JSON file, an attackercould use this flaw to crash jq or, potentially, execute arbitrary code on thevictim’s system. (CVE-2015-8863)
1328747 – CVE-2015-8863 jq: heap-buffer-overflow in tokenadd() function
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: