Debian Patches
Status for node-tar/6.2.1+~cs7.0.8-1+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| api-backward-compatibility.patch | expose old method names for backward compatibility | Jérémy Lal <kapouer@melix.org> | not-needed | 2018-06-08 | ||
| CVE-2026-23745.patch | sanitize absolute linkpaths properly | isaacs <i@izs.me> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/340eb285 | 2026-01-17 |
| CVE-2026-23950.patch | normalize out unicode ligatures | Yadd <yadd@debian.org> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/3b1abfae | 2026-01-22 |
| CVE-2026-29786.patch | parse root off paths before sanitizing .. parts | isaacs <i@izs.me> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/7bc755dd | 2026-03-04 |
| CVE-2026-26960.patch | <short summary of the patch> | isaacs <i@izs.me> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/d18e4e1f | 2026-02-12 |
| CVE-2026-24842.patch | properly sanitize hard links containing .. The issue is that *hard* links are resolved relative to the unpack cwd, so if they have `..`, they cannot possibly be valid. The loosening of the '..' restriction for symbolic links should have been limited by type. |
isaacs <i@izs.me> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/f4a7aa9b | 2026-03-24 |
| CVE-2026-31802.patch | prevent escaping symlinks with drive-relative paths After stripping the drive letter root from paths like c:../../../foo, re-check for '..' to prevent path traversal via drive-relative linkpaths. |
isaacs <i@izs.me> | not-needed | upstream | upstream, https://github.com/isaacs/node-tar/commit/f48b5fa3 | 2026-03-24 |
All known versions for source package 'node-tar'
- 6.2.1+ds1+~cs6.1.13-10 (forky, sid)
- 6.2.1+~cs7.0.8-1+deb13u1 (trixie-proposed-updates)
- 6.2.1+~cs7.0.8-1 (trixie)
- 6.1.13+~cs7.0.5-1 (bookworm)