[Git][security-tracker-team/security-tracker][master] Reserve DLA-4552-1 for node-tar

Daniel Leidert (@dleidert) dleidert at debian.org
Wed Apr 29 03:56:09 BST 2026 


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
802298c4 by Daniel Leidert at 2026-04-29T04:55:53+02:00
Reserve DLA-4552-1 for node-tar

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -262043,7 +262043,6 @@ CVE-2024-28891 (SQL injection vulnerability exists in the script Handler_CFG.ash
 CVE-2024-28863 (node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no  ...)
 	- node-tar 6.1.13+~cs7.0.5-2
 	[bookworm] - node-tar <no-dsa> (Minor issue)
-	[bullseye] - node-tar <no-dsa> (Minor issue)
 	[buster] - node-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
 	NOTE: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Apr 2026] DLA-4552-1 node-tar - security update
+	{CVE-2024-28863 CVE-2026-23745 CVE-2026-24842 CVE-2026-26960 CVE-2026-29786 CVE-2026-31802}
+	[bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u3
 [27 Apr 2026] DLA-4551-1 mbedtls - security update
 	{CVE-2025-59438 CVE-2026-34871}
 	[bullseye] - mbedtls 2.16.9-0.1+deb11u4


=====================================
data/dla-needed.txt
=====================================
@@ -361,12 +361,6 @@ node-lodash (utkarsh)
   NOTE: 20260201: uploaded to sid. would like for it to settle there first. (utkarsh)
   NOTE: 20260302: no regressions reported, will start to upload to stable releases. (utkarsh)
 --
-node-tar (dleidert)
-  NOTE: 20260121: Added by Front-Desk (pochu)
-  NOTE: 20260121: also look at postponed issue (pochu)
-  NOTE: 20260301: working on LTS and DSAs (dleidert)
-  NOTE: 20260301: wip: the recently added CVE-2026-26960, CVE-2026-24842, and CVE-2026-23745 are entangled and require backporting another non-CVE patch (dleidert)
---
 nodejs
   NOTE: 20260121: Added by Front-Desk (pochu)
   NOTE: 20260317: DSA-6166-1 released for trixie (7 CVEs) (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/802298c43e5ce55b933ea9536282298b3e9916fa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/802298c43e5ce55b933ea9536282298b3e9916fa
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260429/dc498ca1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list