Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected], [email protected] Control: affects -1 + src:jaraco.context User: [email protected] Usertags: pu
This update fixes the (non-dsa) path traversal vulnerability tracked as CVE-2026-23949. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The only code change is a minimal backport of the upstream fix [2]. The patch is identical to the one used to fix the issue in unstable and low risk. All CI checks pass on trixie [3]. In addition, the update has been manually checked against new upstream testcases specifically testing for the security issue. [1]https://security-tracker.debian.org/tracker/CVE-2026-23949 [2]https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 [3]https://salsa.debian.org/jcfp/jaraco.context/-/pipelines/1011444
jaraco.context_6.0.1-1+deb13u1_source.debdiff
Description: Binary data
pgp7H9lUbsioM.pgp
Description: OpenPGP digital signature
