Control: tags -1 + confirmed

On Wed, 2026-06-24 at 16:08 +0200, Daniel Leidert wrote:
> node-tar in Bookworm is vulnerable to multiple CVEs.
> 
>   - CVE-2024-28863: excessive memory consumption
>   - CVE-2026-23745: sanitize absolute linkpaths properly
>     (the fix opens CVE-2026-24842 and CVE-2026-31802)
>   - CVE-2026-26960: do not write linkpaths through symlinks
>   - CVE-2026-29786: parse root off paths before sanitizing parts
> 
> By fixing CVE-2026-23745, it becomes necessary to fix CVE-2026-24842
> and CVE-2026-31802 as well, because the fix introduces the vulnerable
> code for these issues:

Please go ahead.

Regards,

Adam

Reply via email to