Hi Xavier, On Tue, Mar 24, 2026 at 08:53:29PM +0100, Xavier wrote: > Hi, > > both CVE-2026-24842 and CVE-2026-31802 are marked "not-affected", which is > partially wrong: this 2 issues were introduced in CVE-2026-23745. But this > fix has been introduced into node-tar 6.2.1+ds1+~cs6.1.13-6 so testing is > vulnerable for now until node-tar migrates to testing. > I backported CVE-2026-24842 and CVE-2026-31802 into version > 6.2.1+ds1+~cs6.1.13-10, so sid is not vulnerable.
Thanks, I have updated it earlier after processing yesterday new uploads to unstable fixing CVEs. Regards, Salvatore
