Debian Patches

Status for node-tar/6.2.1+ds1+~cs6.1.13-10

Patch Description Author Forwarded Bugs Origin Last update
api-backward-compatibility.patch expose old method names for backward compatibility Jérémy Lal <kapouer@melix.org> not-needed 2018-06-08
0002-Port-to-rimraf-4.patch Port to rimraf@4 Bastien Roucariès <rouca@debian.org> not-needed 2025-12-22
0003-Remove-test-that-may-fail.patch Remove test that may fail Bastien Roucariès <rouca@debian.org> not-needed 2025-12-25
CVE-2026-23745.patch sanitize absolute linkpaths properly isaacs <i@izs.me> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/340eb285 2026-01-17
CVE-2026-23950.patch normalize out unicode ligatures Yadd <yadd@debian.org> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/3b1abfae 2026-01-22
CVE-2026-29786.patch parse root off paths before sanitizing .. parts isaacs <i@izs.me> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/7bc755dd 2026-03-04
CVE-2026-26960.patch <short summary of the patch> isaacs <i@izs.me> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/d18e4e1f 2026-02-12
CVE-2026-24842.patch properly sanitize hard links containing .. The issue is that *hard* links are resolved relative to the unpack cwd,
so if they have `..`, they cannot possibly be valid. The loosening of
the '..' restriction for symbolic links should have been limited by type.		 isaacs <i@izs.me> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/f4a7aa9b 2026-03-24
CVE-2026-31802.patch prevent escaping symlinks with drive-relative paths After stripping the drive letter root from paths like c:../../../foo,
re-check for '..' to prevent path traversal via drive-relative linkpaths.		 isaacs <i@izs.me> not-needed upstream upstream, https://github.com/isaacs/node-tar/commit/f48b5fa3 2026-03-24
adapt-to-chownr-3.patch Adapt to chownr 3 (named exports) Yadd <yadd@debian.org> not-needed 2026-03-23

All known versions for source package 'node-tar'

Links