Hi, Just one comment below:
On Wed, Jun 24, 2026 at 04:08:59PM +0200, Daniel Leidert wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:node-tar > User: [email protected] > Usertags: pu > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > [ Reason ] > > node-tar in Bookworm is vulnerable to multiple CVEs. > > - CVE-2024-28863: excessive memory consumption > - CVE-2026-23745: sanitize absolute linkpaths properly > (the fix opens CVE-2026-24842 and CVE-2026-31802) > - CVE-2026-26960: do not write linkpaths through symlinks > - CVE-2026-29786: parse root off paths before sanitizing parts > > By fixing CVE-2026-23745, it becomes necessary to fix CVE-2026-24842 and > CVE-2026-31802 as well, because the fix introduces the vulnerable code for > these issues: > > - CVE-2026-24842: properly sanitize hard links containing '..' > - CVE-2026-31802: prevent escaping symlinks with drive-relative paths While this is true from a areleased version point of view we never introduce the issue for bookworm, so form security-tracker point ofview the not-affected state will not change. But it is good you mention the little bit more complicated situation here. Ideally the stable update listing the CVE should not mention those two CVEs as been fixed as they were never present in first place for bookworm. Just clarifying how we would track this situation in the security-tracker. Regards, Salvatore

