I'm postponing fixes for CVE-2026-42496, CVE-2026-42497, and CVE-2026-9538 in Archive-Tar.
These are rather intertwined, and backporting them onto older versions is pretty much the same thing as upgrading the whole module. Also there's a regression fix in Archive-Tar 3.12 and I want to wait a bit to see if others surface. Upstream plans to include the fixes in point releases for 5.42 and 5.40, as discussed in https://github.com/Perl/perl5/issues/24445 . Let's see what they do with this first. -- Niko Tyni [email protected]
