Your message dated Wed, 24 Jun 2026 09:05:07 +0000
with message-id <[email protected]>
and subject line Bug#1139827: fixed in node-tmp 0.2.7+dfsg+~0.2.6-1
has caused the Debian Bug report #1139827,
regarding node-tmp: CVE-2026-44705
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139827
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tmp
Version: 0.2.5+dfsg+~0.2.6-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tmp.
CVE-2026-44705[0]:
| tmp is a temporary file and directory creator for node.js. Prior to
| 0.2.6, the tmp npm package contains a path traversal vulnerability
| that allows escaping the intended temporary directory when untrusted
| data flows into the prefix, postfix, or dir options. By embedding
| traversal sequences (e.g., ../) or path separators in these
| parameters, attackers can cause files to be created outside the
| configured temporary base directory at attacker-controlled locations
| with the privileges of the running process. This vulnerability
| affects applications that pass user-controlled data to tmp's
| file/directory creation functions without proper input sanitization.
| This vulnerability is fixed in 0.2.6.
Note that the 0.2.6 upstream introduced CVE-2026-49982, so when fixing
this issue make sure to not open up the later one and make the fixes
complete.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44705
https://www.cve.org/CVERecord?id=CVE-2026-44705
[1] https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tmp
Source-Version: 0.2.7+dfsg+~0.2.6-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-tmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jun 2026 10:44:58 +0200
Source: node-tmp
Architecture: source
Version: 0.2.7+dfsg+~0.2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1139827
Changes:
node-tmp (0.2.7+dfsg+~0.2.6-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch version 5
* New upstream version (Closes: #1139827, CVE-2026-44705)
Checksums-Sha1:
9d31ace36f1be5fa14303334626752938dcdc49a 2382 node-tmp_0.2.7+dfsg+~0.2.6-1.dsc
84650c857096b66145afca3eebae144fe1e80d7a 3300
node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz
6e3553c9374de70353b43909dcfcae84c961b3fd 50572
node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz
54a3a9e3a13c7253b3794d1156193a0ffce67c48 4424
node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz
Checksums-Sha256:
43c88b175ba712769e2346141c333980660bef3f961f92272a3fe772f2c56834 2382
node-tmp_0.2.7+dfsg+~0.2.6-1.dsc
aa766bbc6d3eb8522ab4d60f901240ba0859645dbf4acc31547bb66c1bb19086 3300
node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz
47ee713b947b54c553ad7c96b0610401051404915fc7a4e230b2dac3a1ae1ba4 50572
node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz
5488a3bd1cda7e364e93372d504b943ea439ebd53a1ff92225b129791e3f4e8b 4424
node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz
Files:
b3971839790cacf42a33cea14f6a3502 2382 javascript optional
node-tmp_0.2.7+dfsg+~0.2.6-1.dsc
c70e2358223e3bbb39638fff31fcf8c3 3300 javascript optional
node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz
80b75ba801503c41796b40e9835b66c7 50572 javascript optional
node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz
a4376cd017e37a847b496066f63339d2 4424 javascript optional
node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7mT4ACgkQ9tdMp8mZ
7ulFfQ//fMAQDQ8iR8HwMD8sy9SQfrVm90CikL90bactFSXMDABESkoHJgZRW121
q43nOwNl81oDj/dpxXKggfusshMXY+DaOj8j36lAr8sudF2oOplrRLp5mEgJmyZE
h1l3q1bmt3LWd4P7s3f353+13L0vmfu+0VK6uSb+Vfcdf/iBAsmkKtJc5VvlJWfs
mEOxkZJ93ChnE0CKWAoPz92s74edPKXsLY6gAsPKq+xOBg2OpEjrDsbPs0DAyeqq
NOP5EPOEU2AOTIFQPyVtttsyfEEZqORk3JPtUZyqHl/lnhG4L8nAtmfcY0FGVmqt
sfzHz3a0Am8CrwiFgD/XgMsOkynM7uJ2h/2rblE7Upr96qtUbq0wCpHpQRkvQGKJ
RJ5ym49t8f/jbOBcfCBIi+zTl4bLprPJPG1BuqW0ZCeczdjwgEo0lVD4IeFIHHsj
nc1iErD5An88xC1Msy5dMJXPKIpCNq/iN5Ma5bSgs2iGm1OeEMM9xnaliytCs3cf
Q+J5I4iccNJJRdlu8nmJhNhwtpY3uTI0XidDyUMhu3Ym2TAvRRSslHsX0NF4bW70
oqqydbnKaw1DF+avXoDCkNVx0d5KPkOw+GZeuXdw88yJnRmqGLM9OwOwXZSihdqc
GBFX3+z8K/Dt1Dqv1RppbnR27XJ1PZDlW20kMXWNIntssJf3iLw=
=PRfu
-----END PGP SIGNATURE-----
pgpnDTZYzNxZC.pgp
Description: PGP signature
--- End Message ---
