node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u3) bullseye-security; urgency=medium * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2024-28863.patch: Add patch to fix CVE-2024-28863. - Generating a large number of sub-folders can consume memory on the system and even crash the Node.js client within a few seconds using a path with too many sub-folders inside. * d/patches/CVE-2026-23745.patch: Add patch to fix CVE-2026-23745. - When preservePaths is false, the linkpath of Link (hardlink) and SymbolicLink entries fail to be sanitized, allowing malicious archives to bypass the extraction root restriction, leading to arbitrary file overwrites via hardlinks and symlink poisoning via absolute symlink targets. * d/patches/CVE-2026-23745-regression-fix.patch: Add patch to fix a regression introduced by the fix for CVE-2026-23745. - The fix for CVE-2026-23745 introduces a regression that prevents unpacking archives with valid linkpaths within the archive. * d/patches/CVE-2026-24842.patch: Add patch to fix CVE-2026-24842. - The security check for hardlink entries allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. * d/patches/CVE-2026-26960-1.patch, d/patches/CVE-2026-26960-2.patch: Add patch to fix CVE-2026-26960. - An attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. * d/patches/CVE-2026-29786.patch: Add patch to fix CVE-2026-29786. - An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. * d/patches/CVE-2026-31802.patch: Add patch to fix CVE-2026-31802. - An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. * d/tests/control: Allow stderr to ignore npm warnings. -- Daniel Leidert Wed, 01 Apr 2026 05:44:08 +0200 node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u2) bullseye-security; urgency=medium * Team upload * Fix insufficient symlink protection (Closes: CVE-2021-37701) * Fix arbitrary file creation/overwrite and arbitrary code execution vulnerability (Closes: CVE-2021-37712) * Don't apply umask when uncompressing to avoid creating world writable directories -- Yadd Thu, 11 Nov 2021 09:00:28 +0100 node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u1) bullseye; urgency=medium * Team upload * Remove paths from dirCache when no longer dirs (Closes: #992110, CVE-2021-32803) * Strip absolute paths more comprehensively (Closes: #992111, CVE-2021-32804) -- Yadd Wed, 11 Aug 2021 21:50:15 +0200 node-tar (6.0.5+ds1+~cs11.3.9-1) unstable; urgency=medium [ Xavier Guimard ] * Team upload * Declare compliance with policy 4.5.1 * Modernize debian/watch * Add ctype=nodejs to component(s) [ Pirate Praveen ] * Add @types/tar as component * New upstream version 6.0.5+ds1+~cs11.3.9 -- Pirate Praveen Thu, 07 Jan 2021 14:18:29 +0530 node-tar (6.0.5+ds1-2) unstable; urgency=medium * Team upload * Back to unstable after successful tests -- Xavier Guimard Sat, 24 Oct 2020 19:54:30 +0200 node-tar (6.0.5+ds1-1) experimental; urgency=medium * Team upload [ Debian Janitor ] * Update standards version to 4.4.1, no changes needed. * debian/copyright: use spaces rather than tabs to start continuation lines. * Remove obsolete fields Name from debian/upstream/metadata. [ Xavier Guimard ] * Bump debhelper compatibility level to 13 * Declare compliance with policy 4.5.0 * Add "Rules-Requires-Root: no" * Use dh-sequence-nodejs * New upstream version 6.0.5+ds1 * Refresh patch * Update test modules * Require node-mkdirp ≥ 1 -- Xavier Guimard Thu, 22 Oct 2020 08:35:38 +0200 node-tar (4.4.10+ds1-2) unstable; urgency=medium * Team upload * Switch install to pkg-js-tools * Increase test timeout * Don't install map.js, used only for tests * Switch to debhelper-compat * Back to unstable after successful tests using ci.debian.net -- Xavier Guimard Thu, 22 Aug 2019 08:56:57 +0200 node-tar (4.4.10+ds1-1) experimental; urgency=medium * Team upload * Bump debhelper compatibility level to 12 * Declare compliance with policy 4.4.0 * Move installed files to /usr/share/nodejs * Replace pkg-components by pkg-js-tools (Closes: #933124) * Exclude embedded npm from minizlib import * New upstream version 4.4.10+ds1 * Clean autopkgtest * Install map.js * Enable upstream test using pkg-js-tools. This embeds chmodr for tests only * Disable some failing test (even with npm install) * Update debian/copyright * Drop unneeded version constraints from (build) dependencies -- Xavier Guimard Sat, 27 Jul 2019 13:34:30 +0200 node-tar (4.4.6+ds1-3) unstable; urgency=medium * Team upload * Tighten dependencies (Closes: #910165) * Update copyright file (remove chownr section) * Add autopkgtest -- Pirate Praveen Mon, 15 Oct 2018 22:13:56 +0530 node-tar (4.4.6+ds1-2) unstable; urgency=medium * Team upload * Drop chownr component in favor of node-chownr package -- Pirate Praveen Fri, 28 Sep 2018 01:27:08 +0530 node-tar (4.4.6+ds1-1) unstable; urgency=medium * Team upload * New upstream version 4.4.6+ds1 * Allow pkg-components from backports * Bump debhelper compatibility level to 11 * Bump Standards-Version to 4.2.1 (no changes needed) -- Pirate Praveen Sun, 16 Sep 2018 13:29:46 +0530 node-tar (4.4.4+ds1-2) unstable; urgency=medium * Team upload * Reupload to unstable -- Pirate Praveen Fri, 17 Aug 2018 11:48:35 +0530 node-tar (4.4.4+ds1-1) experimental; urgency=medium * Properly rebuild ds1, including all tarballs -- Jérémy Lal Thu, 19 Jul 2018 12:23:16 +0200 node-tar (4.4.4+ds-4) experimental; urgency=medium * Properly build package from vcs. See README.source. -- Jérémy Lal Thu, 19 Jul 2018 11:37:57 +0200 node-tar (4.4.4+ds-3) experimental; urgency=medium * Build-Depends on some modules needed for tests * New upstream version 4.4.4+ds * Update minipass version * api-backward-compatibility.patch: restore capitalized methods names. (Closes: #900491) * copyright: move comment from Source into Comment * Improve 4.4.1 changelog entry * Depends pkg-components >= 0.10 -- Jérémy Lal Fri, 08 Jun 2018 09:31:29 +0200 node-tar (4.4.1+ds-2) experimental; urgency=medium * Call dh-components using dh_override_install/clean, because default hook is only after dh_install. -- Jérémy Lal Mon, 23 Apr 2018 13:43:58 +0200 node-tar (4.4.1+ds-1) experimental; urgency=medium * New upstream version 4.4.1+ds * Section javascript * Priority optional * Vcs salsa * Remove Testsuite field * Exclude benchmarks modules and repack * Standards-Version 4.1.4 * Drop useless patch * Update Depends * Bundle these modules: + chownr (ITP #863985) + minipass + fs-minipass + minizlib using salsa:kapouer/pkg-components#f8714364 (see also #896608) which makes them easy to maintain using uscan-components and dh-components. Bundling criterions: - small source and same(ish) upstream author as main package - or not actively maintained and small number of potential reverse dependencies. * Run package tests * Add patch to avoid dependency on chmodr for running tests (node-chmodr is not available at the moment) -- Jérémy Lal Mon, 23 Apr 2018 01:14:10 +0200 node-tar (2.2.1-1) unstable; urgency=medium [ Bas Couwenberg ] * Remove myself from Uploaders. [ Jérémy Lal ] * Imported Upstream version 2.2.1 * Run tests in autopkgtest * Move build-deps to test deps * Upstream license moved to ISC * Secure Vcs url * Standards-Version 3.9.8 * Add patch fixing test * Tighten dependency on node-fstream 1.0.10 * Override lintian error about missing source for test data -- Jérémy Lal Fri, 18 Nov 2016 09:52:18 +0100 node-tar (1.0.3-2) unstable; urgency=medium * Merge changes from previous releases. -- Bas Couwenberg Sun, 15 Mar 2015 22:59:07 +0100 node-tar (1.0.3-1) unstable; urgency=low * Initial release (Closes: #780440) -- Bas Couwenberg Sat, 14 Mar 2015 01:29:10 +0100 node-tar (0.1.18-1) unstable; urgency=low * Upstream update * control: + tighten dependency on node-inherits (>= 2) + canonicalize Vcs fields + Standards-Version 3.9.4 -- Jérémy Lal Thu, 15 Aug 2013 16:06:15 +0200 node-tar (0.1.17-1) experimental; urgency=low * Upstream update. * Use github url in watch file. * Use dh_installexamples instead of dh_installdocs. -- Jérémy Lal Fri, 22 Mar 2013 10:18:26 +0100 node-tar (0.1.13-1) unstable; urgency=low * Initial release (Closes: #664719) -- Jérémy Lal Sat, 17 Mar 2012 23:37:48 +0100