Your message dated Fri, 03 Apr 2026 19:32:12 +0000
with message-id <[email protected]>
and subject line Bug#1129378: fixed in node-tar 6.2.1+~cs7.0.8-1+deb13u1
has caused the Debian Bug report #1129378,
regarding node-tar: CVE-2026-26960
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar
Version: 6.2.1+ds1+~cs6.1.13-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar.
CVE-2026-26960[0]:
| node-tar is a full-featured Tar for Node.js. When using default
| options in versions 7.5.7 and below, an attacker-controlled archive
| can create a hardlink inside the extraction directory that points to
| a file outside the extraction root, enabling arbitrary file read and
| write as the extracting user. Severity is high because the primitive
| bypasses path protections and turns archive extraction into a direct
| filesystem access primitive. This issue has been fixed in version
| 7.5.8.
Note, I was not exacly able to reproduce/verify the issue completely,
but still should apply to all versions before 7.5.8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26960
https://www.cve.org/CVERecord?id=CVE-2026-26960
[1] https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar
Source-Version: 6.2.1+~cs7.0.8-1+deb13u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Mar 2026 12:34:05 +0100
Source: node-tar
Architecture: source
Version: 6.2.1+~cs7.0.8-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1129378
Changes:
node-tar (6.2.1+~cs7.0.8-1+deb13u1) trixie; urgency=medium
.
* Team upload
* Add patches for 6 CVEs: CVE-2026-23745, CVE-2026-23950, CVE-2026-24842,
CVE-2026-26960, CVE-2026-29786, CVE-2026-31802 (Closes: #1129378)
Checksums-Sha1:
0ac1fd689a43dc1b6631a2d83ac37dcbddaea229 2965
node-tar_6.2.1+~cs7.0.8-1+deb13u1.dsc
931e53434a959d4ea3c7821d50b1ebf1e73aad7e 15664
node-tar_6.2.1+~cs7.0.8-1+deb13u1.debian.tar.xz
Checksums-Sha256:
ad80e7dc3304f173d956af544ea0f98d71922178bb0fc168f89a96eb4bf23953 2965
node-tar_6.2.1+~cs7.0.8-1+deb13u1.dsc
85010c3764b86369387ad87562090b8d9e4578289c130c30049a3bbb361f01d3 15664
node-tar_6.2.1+~cs7.0.8-1+deb13u1.debian.tar.xz
Files:
60c92ffea8508b3e0763e4cdfdcc0b55 2965 javascript optional
node-tar_6.2.1+~cs7.0.8-1+deb13u1.dsc
c6d5e40563b756a0eb392b8fe6b2939d 15664 javascript optional
node-tar_6.2.1+~cs7.0.8-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnIChwACgkQ9tdMp8mZ
7um0wA/3YVR3lsmqjgUAqwSI/TDSxt0jjsRtP7O9Apk0b1sdOVoEF9B+LEgpJ+Y6
nGYuTHVPniINzgwuqrJYQJ5fPYUNsZGoQhrIR1bBvnEpwkYSrqs6GJvhpUBncKYb
4Sw/l0OnRRfNXSkPnZPcbIh+7ZB4ZGFwKTEtnV29zZ05Oww7a7drMGLFRz5PQf5P
YRjXD7OV+c1gi4U4OfyguR0ZS77uyWtDIC3x8TTTFmRtebw4g9eWzmgbKsBtywQn
8scK9Jol0ekk51L0rnW+xr67MdHLHL1tk9pYq6kgAris/c96XyKR62POGPHzlVjg
XaZyCr4NLkTDfbdctvzDNhmk8/gJfMOO730TB1tDOGFTKDZLFZfPrwkSmsVvNvoN
oZyQ1MDtOcj37mVG+YUykqTAWtBYR78rnhNryZ/9z7IpR3FAwQGSJC8cpIKlSrOE
LxJN/7HTsBFyvjVGxZE2nnskDaWX0PMYLCvnrp4g0Mikl0rsA9iN2sBKIn+/LQ5I
5OWA/+ahX5L6XyYgoYqkokMgRIFQJt5/wH6/VqIgUC2jgjzCdS6/2AR2u0cekXkX
hvuMcJMXKw4wvj3AGOkLHYi+FBOtwTV8rxh3YJyemxeYKUqZii1NugcVfZUoFGCT
FT8Mru90vKRgd191pEzPU8CQNJggm2vdU2eJdwcM8s2GINJL+A==
=vaSk
-----END PGP SIGNATURE-----
pgprfrlcmz49G.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
