Bug#1138861: postponing CVE fixes in Archive-Tar
Niko Tyni
ntyni at debian.org
Fri Jun 5 19:46:14 BST 2026
I'm postponing fixes for CVE-2026-42496, CVE-2026-42497, and CVE-2026-9538
in Archive-Tar.
These are rather intertwined, and backporting them onto older versions
is pretty much the same thing as upgrading the whole module.
Also there's a regression fix in Archive-Tar 3.12 and I want to wait a bit
to see if others surface.
Upstream plans to include the fixes in point releases for 5.42 and 5.40,
as discussed in https://github.com/Perl/perl5/issues/24445 . Let's see
what they do with this first.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list