[Git][security-tracker-team/security-tracker][master] node-tar spu

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
02f2f2fd by Moritz Mühlenhoff at 2026-03-25T20:48:29+01:00
node-tar spu

- - - - -


3 changed files:

- data/CVE/list
- data/dsa-needed.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8733,6 +8733,8 @@ CVE-2026-29787 (mcp-memory-service is an open-source memory backend for multi-ag
 	NOT-FOR-US: mcp-memory-service
 CVE-2026-29786 (node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10,  ...)
 	- node-tar 6.2.1+ds1+~cs6.1.13-8
+	[trixie] - node-tar <no-dsa> (Minor issue)
+	[bookworm] - node-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
 	NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f (v7.5.10)
 CVE-2026-29784 (Ghost is a Node.js content management system. From version 5.101.6 to  ...)
@@ -15439,6 +15441,8 @@ CVE-2026-26963 (Cilium is a networking, observability, and security solution wit
 	- cilium <itp> (bug #858303)
 CVE-2026-26960 (node-tar is a full-featured Tar for Node.js. When using default option ...)
 	- node-tar 6.2.1+ds1+~cs6.1.13-8 (bug #1129378)
+	[trixie] - node-tar <no-dsa> (Minor issue)
+	[bookworm] - node-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
 	NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f (v7.5.8)
 	NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384 (v7.5.8)
@@ -28828,6 +28832,8 @@ CVE-2026-23800 (Incorrect Privilege Assignment vulnerability in Modular DS modul
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-23745 (node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails t ...)
 	- node-tar 6.2.1+ds1+~cs6.1.13-6
+	[trixie] - node-tar <no-dsa> (Minor issue)
+	[bookworm] - node-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
 	NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e (v7.5.3)
 CVE-2026-23744 (MCPJam inspector is the local-first development platform for MCP serve ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -60,9 +60,6 @@ mbedtls/oldstable
 nodejs
   Maintainer proposed an update for trixie-security for review, no bookworm-security update yet
 --
-node-tar
-  Daniel Leidert proposed to work on {bookworm,trixie}-security updates, but maintainers should be involved
---
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --


=====================================
data/next-point-update.txt
=====================================
@@ -124,3 +124,11 @@ CVE-2025-71264
 	[trixie] - mumble 1.5.735-5+deb13u1
 CVE-2026-33228
 	[trixie] - node-flatted 3.2.7~ds-1+deb13u1
+CVE-2026-23745
+	[trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
+CVE-2026-23950
+	[trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
+CVE-2026-29786
+	[trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
+CVE-2026-26960
+	[trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02f2f2fd2d8d5a8b4b468a80ea1d5ec47acda3ea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02f2f2fd2d8d5a8b4b468a80ea1d5ec47acda3ea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/f94785b8/attachment-0001.htm>