ChangZhuo Chen uploaded new packages for jq which fixed the
following security problems:
CVE-2026-32316
jq is a command-line JSON processor. An integer overflow vulnerability
exists through version 1.8.1 within the jvp_string_append() and
jvp_string_copy_replace_bad functions, where concatenating strings with
a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer
overflow in the buffer allocation size calculation, resulting in a
drastically undersized heap buffer. Subsequent memory copy operations
then write the full string data into this undersized buffer, causing a
heap buffer overflow classified as CWE-190 (Integer Overflow) leading to
CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq
queries is affected, as an attacker can crash the process or potentially
achieve further exploitation through heap corruption by crafting queries
that produce extremely large strings. The root cause is the absence of
string size bounds checking, unlike arrays and objects which already
have size limits. The issue has been addressed in commit
e47e56d226519635768e6aab2f38f0ab037c09e5.
CVE-2026-33947
jq is a command-line JSON processor. In versions 1.8.1 and below,
functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's
src/jv_aux.c use unbounded recursion whose depth is controlled by the
length of a caller-supplied path array, with no depth limit enforced. An
attacker can supply a JSON document containing a flat array of ~65,000
integers (~200 KB) that, when used as a path argument by a trusted jq
filter, exhausts the C call stack and crashes the process with a
segmentation fault (SIGSEGV). This bypass works because the existing
MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not
runtime path operations where arrays can be programmatically constructed
to arbitrary lengths. The impact is denial of service (unrecoverable
crash) affecting any application or service that processes untrusted
JSON input through jq's setpath, getpath, or delpaths builtins. This
issue has been addressed in commit
fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
CVE-2026-33948
jq is a command-line JSON processor. Commits before
6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where
CLI input parsing allows validation bypass via embedded NUL bytes. When
reading JSON from files or stdin, jq uses strlen() to determine buffer
length instead of the actual byte count from fgets(), causing it to
truncate input at the first NUL byte and parse only the preceding
prefix. This enables an attacker to craft input with a benign JSON
prefix before a NUL byte followed by malicious trailing data, where jq
validates only the prefix as valid JSON while silently discarding the
suffix. Workflows relying on jq to validate untrusted JSON before
forwarding it to downstream consumers are susceptible to parser
differential attacks, as those consumers may process the full input
including the malicious trailing bytes. This issue has been patched by
commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
CVE-2026-39956
jq is a command-line JSON processor. In commits after
69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in
jq's src/builtin.c passes its arguments directly to jv_string_indexes()
without verifying they are strings, and jv_string_indexes() in src/jv.c
relies solely on assert() checks that are stripped in release builds
compiled with -DNDEBUG. This allows an attacker to crash jq trivially
with input like _strindices(0), and by crafting a numeric value whose
IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled
pointer dereference and limited memory read/probe primitive. Any
deployment that evaluates untrusted jq filters against a release build
is vulnerable. This issue has been patched in commit
fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
CVE-2026-39979
jq is a command-line JSON processor. In commits before
2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in
libjq accepts a counted buffer with an explicit length parameter, but
its error-handling path formats the input buffer using %s in
jv_string_fmt(), which reads until a NUL terminator is found rather than
respecting the caller-supplied length. This means that when malformed
JSON is passed in a non-NUL-terminated buffer, the error construction
logic performs an out-of-bounds read past the end of the buffer. The
vulnerability is reachable by any libjq consumer calling
jv_parse_sized() with untrusted input, and depending on memory layout,
can result in memory disclosure or process termination. The issue has
been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit
0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a
hardcoded, publicly visible seed (0x432A9843) for all JSON object hash
table operations, which allowed an attacker to precompute key collisions
offline. By supplying a crafted JSON object (~100 KB) where all keys
hashed to the same bucket, hash table lookups degraded from O(1) to
O(n), turning any jq expression into an O(n²) operation and causing
significant CPU exhaustion. This affected common jq use cases such as
CI/CD pipelines, web services, and data processing scripts, and was far
more practical to exploit than existing heap overflow issues since it
required only a small payload. This issue has been patched in commit
0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
CVE-2026-40612
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains
recurses into nested arrays/objects with no depth limit. With a
sufficiently nested input structure (built programmatically with reduce,
since the JSON parser caps at depth 10000), the C stack is exhausted.
CVE-2026-41256
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq
programs loaded from a file with -f are truncated at the first embedded
NUL byte on current upstream HEAD. A crafted filter file such as .
followed by \x00 and arbitrary suffix compiles and executes as only the
prefix before the NUL. This leaves jq with a post-CVE-2026-33948
prefix/full-buffer mismatch on the compilation path even though the JSON
parser path has already been fixed.
CVE-2026-41257
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq
bytecode VM's data stack tracks its allocation size in a signed int.
When the stack grows beyond ≈1 GiB (via deeply nested generator forks),
the doubling arithmetic overflows. The wrapped value is passed to
realloc and then used for a memmove with attacker-influenced offsets.
CVE-2026-43894
jq is a command-line JSON processor. In 1.8.1 and earlier, when
decNumberFromString is given a number literal of INT_MAX-1 (2147483646)
digits, the D2U() macro overflows during signed-int arithmetic. The
wrapped negative value bypasses the heap-allocation size check, causes
the function to use a 30-byte stack buffer, and then writes ≈715 million
16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The
written content is fully attacker-controlled (the parsed decimal digits,
packed 3-per-unit).
CVE-2026-43895
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts
embedded NUL bytes in import paths at the jq-language level, but later
resolves those paths through C string operations during module and
data-file lookup. This creates a mismatch between the logical import
string that policy or audit code may validate and the on-disk path that
jq actually opens.
CVE-2026-43896
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded
recursion in jv_object_merge_recursive() allows a crafted jq program to
crash the process with a segfault. The function is reachable through the
* operator when both operands are objects.
CVE-2026-44777
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the
ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other.
For the bookworm-backports distribution the problems have been fixed in
version 1.8.1-6~bpo12+1.
For the trixie-backports distribution the problems have been fixed in
version 1.8.1-6~bpo13+1.
Introduction
You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.
Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)
Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!
It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.
Where to start
- Users should start at the Instructions page.
- Contributors should start Contribute page.
- If you want to know which packages are available via backports.debian.org look at the Packages page.
News
Mathias Gibbens uploaded new packages for incus which fixed the
following security problems:
CVE ID : CVE-2026-40195 CVE-2026-40197 CVE-2026-40243 CVE-2026-40251
CVE-2026-41647 CVE-2026-41648 CVE-2026-41684 CVE-2026-41685
Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in denial of service.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u7~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the
following security problems:
CVE ID : CVE-2026-34178 CVE-2026-34179
Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result in restriction bypass
or privilege escalation.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u6~bpo12+1.
Simon McVittie uploaded new packages for flatpak which fixed the
following security problems, the same as in DSA 6207-1:
* CVE-2026-34078, which allowed a Flatpak app to break out of the
sandbox, resulting in code execution in the host context
* CVE-2026-34079, which allowed a Flatpak app to delete arbitrary
files on the host system
* GHSA-2fxp-43j9-pwvc, which allowed a local user to read any file
that is readable by the `_flatpak` system user
* GHSA-89xm-3m96-w3jg, which allowed a local user to interfere with
another local user's ability to cancel an ongoing download
For the bookworm-backports distribution, the problems have been fixed in
version 1.16.6-1~deb13u1~bpo12+1.
Colin Watson uploaded new packages for openssh which fixed the
following security problems:
CVE-2026-3497 (DSA-6204-1)
Jeremy Brown discovered a flaw in the GSSAPI Key Exchange patch
applied in Debian to OpenSSH, an implementation of the SSH
protocol suite, affecting non-default configurations with the
GSSAPIKeyExchange setting enabled. A remote attacker can take
advantage of this flaw to cause a denial of service, or
potentially the execution of arbitrary code.
https://security-tracker.debian.org/tracker/CVE-2026-3497
For the trixie-backports distribution, the problem has been fixed in
version 1:10.2p1-6~bpo13+1.
Mathias Gibbens uploaded new packages for incus which fixed the
following security problems:
CVE ID : CVE-2026-28384 CVE-2026-33542 CVE-2026-33743 CVE-2026-33897
Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in denial of service
or the execution of arbitrary commands.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u5~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:
CVE ID : CVE-2026-23953 CVE-2026-23954
Two security issues were discovered in Incus, a system container and
virtual machine manager, which could result the in execution of
arbitrary commands via malformed images.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u4~bpo12+1.
Throw away binaries for uploads to BACKPORTS-NEW
Hi all,
Thanks to the initiative of Jochen Sprickerhof, the ftp-masters have merged a change to the Debian configuration of DAK that will enable a feature to throw away binaries after processing of the BACKPORTS-NEW queue [1]. The benefit is that all binary packages (in main) will get built by the Debian buildds before we distribute them within the archive. Packages in contrib, non-free and non-free-firmware will not benefit this change for technical reasons (see [2] for a more detailed explanation).
Please reach out to me if details are still not clear after reading the wiki.
Enjoy, Micha
[1] https://salsa.debian.org/ftp-team/dak/-/merge_requests/300 [2] https://wiki.debian.org/ThrowAwayNewBinaries
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:
CVE ID : CVE-2025-64507
It was discovered that Incus, a system container and virtual machine
manager, is prone to a local privilege escalation vulnerability if
unprivileged users are allowed access to Incus through incus-user.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u2~bpo12+1.
Mathias Gibbens uploaded new packages for incus which fixed the following
security problems:
CVE ID : CVE-2025-54286 CVE-2025-54287 CVE-2025-54288
CVE-2025-54289 CVE-2025-54290 CVE-2025-54291
CVE-2025-54293
Multiple security issues were discovered in Incus, a system container
and virtual machine manager, which could result in file disclosure,
information disclosure, privilege escalation or cross-site request
forgery.
For the bookworm-backports distribution the problems have been fixed in
version 6.0.4-2+deb13u1~bpo12+1.