Your message dated Wed, 11 Jun 2025 18:47:15 +0000 with message-id <e1upqtj-002k51...@fasolo.debian.org> and subject line Bug#1101501: fixed in node-tar-fs 2.1.3-0+deb12u1 has caused the Debian Bug report #1101501, regarding node-tar-fs: CVE-2024-12905 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1101501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101501 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-tar-fs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-tar-fs. CVE-2024-12905[0]: | An Improper Link Resolution Before File Access ("Link Following") | and Improper Limitation of a Pathname to a Restricted Directory | ("Path Traversal"). This vulnerability occurs when extracting a | maliciously crafted tar file, which can result in unauthorized file | writes or overwrites outside the intended extraction directory. The | issue is associated with index.js in the tar-fs package. This issue | affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, | from 3.0.0 before 3.0.8. https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed (v3.0.7) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-12905 https://www.cve.org/CVERecord?id=CVE-2024-12905 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: node-tar-fs Source-Version: 2.1.3-0+deb12u1 Done: Adrian Bunk <b...@debian.org> We believe that the bug you reported is fixed in the latest version of node-tar-fs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1101...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <b...@debian.org> (supplier of updated node-tar-fs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 09 Jun 2025 22:02:36 +0300 Source: node-tar-fs Architecture: source Version: 2.1.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Adrian Bunk <b...@debian.org> Closes: 1101501 Changes: node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * New upstream release. - CVE-2024-12905: symlink path traversal (Closes: #1101501) - CVE-2025-48387: hardlink path traversal Checksums-Sha1: 282612fc4786eda51c6678bebd0c4d11f01099ff 2202 node-tar-fs_2.1.3-0+deb12u1.dsc 41b5f9c659d7fa10d0cda24ecae09b97d6b73f4a 7951 node-tar-fs_2.1.3.orig.tar.gz 6f645238c512bc321c11473b8cd30da490bc4f57 3128 node-tar-fs_2.1.3-0+deb12u1.debian.tar.xz Checksums-Sha256: f2fb7d9f7f5e50c09e6050865ef08fa91c438778046080cec32c4acaf1036630 2202 node-tar-fs_2.1.3-0+deb12u1.dsc 061356bce7a39c4b2947f6f406d45179155acfc23edf121f703689768841ad10 7951 node-tar-fs_2.1.3.orig.tar.gz b915da7f3e642970a1d0c9f0f4c89a817ae52c33833e66f749b98585779ec04d 3128 node-tar-fs_2.1.3-0+deb12u1.debian.tar.xz Files: 867147942f1bb8603fedf5a1f224c1dc 2202 javascript optional node-tar-fs_2.1.3-0+deb12u1.dsc 9034827a8b0724931a4262c61395623f 7951 javascript optional node-tar-fs_2.1.3.orig.tar.gz 1c33a18d17c4a4b61236e87f7561ecc0 3128 javascript optional node-tar-fs_2.1.3-0+deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmhIlP0ACgkQiNJCh6LY mLHqbg//T8AG3gBQzVo0dHmigHV+p8QW5GwFPaXbHjeRCScb4ybeJe/ojwI4ZyxB KxfUqFk7odVV+G7VwQjccYzjeyTnGxDVBGPFYcdH+43Z/Ble5tvspQ6O+FFihLx1 5SUwlH4Z5N08M3qpoNFj+uzZv3pfGUlRf/CqRkdu7ubpvLHqsiZUqPwqg8oBm6cR 6MiB4lK0/Dynj33wthCjcs0HU+epjin2d29PGHKV5cJl+OrZI/RjMR1OQHQ36MkG QDPgD/tk4Coyh1ZaFciSyHqL5qiBXbRRNIe6G9wMazyVN6yqYunatkn1yBc63hAM BUfVU9N7wUdtwNQb9OyOgMbpdxu5Q7rXTPKf6J07/myWu1aBWVfNkrj/2ZKg9etz O+PQdH6xBGSDSlK05w9sL9SelXwFVYkyEo1FkWNEo3fuSo3UJBn7GJDUeB6gCFnX BkW+qfgAhy9OpAIttzR0s+49VU5uU1JctL8CDbbiKkYtsYBcDC4ApF4l0ti6BFSe JKSAEnpWuWSZJiiKcA5FvUGTKrSXkz+NiDcrvG5P9jyLBvidOT4f8YuXUw8mA1Ch XjKX6u4NAjbC6+cWUFd2Yg7q0EQxi0RGC39G5FhxT5a82J+ADCtk9+Y4rt8uVLTC Ah3tUhN4QHMkTqJfe7XbK+U8ClAyEthekK5s3+i/zZXWG6kNRO8= =2vS0 -----END PGP SIGNATURE-----
pgpC9wiwKhEtu.pgp
Description: PGP signature
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
