Hi,both CVE-2026-24842 and CVE-2026-31802 are marked "not-affected", which is partially wrong: this 2 issues were introduced in CVE-2026-23745. But this fix has been introduced into node-tar 6.2.1+ds1+~cs6.1.13-6 so testing is vulnerable for now until node-tar migrates to testing. I backported CVE-2026-24842 and CVE-2026-31802 into version 6.2.1+ds1+~cs6.1.13-10, so sid is not vulnerable.
Best regards, Xavier
