[SECURITY] [DLA 4313-1] node-tar-fs security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4313-1] node-tar-fs security update
From: Xavier <yadd@debian.org>
Date: Sun, 28 Sep 2025 18:38:06 +0200
Message-id: <[🔎] 20250928163806.2963F823FA@m.xnr.fr>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

From: Xavier Guimard <yadd@debian.org>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4313-1] node-tar-fs security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4313-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                 Yadd
September 27, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-tar-fs
Version        : 2.1.3-0+deb11u2
CVE ID         : CVE-2025-59343
Debian Bug     : 

node-tar-fs versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to
symlink validation bypass if the destination directory is predictable
with a specific tarball.

For Debian 11 bullseye, this problem has been fixed in version
2.1.3-0+deb11u2.

We recommend that you upgrade your node-tar-fs packages.

For the detailed security status of node-tar-fs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar-fs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmjZY0sSHHguZ3VpbWFy
ZEBmcmVlLmZyAAoJEPbXTKfJme7pEVwP/374raK25Pt5hGfPC4ic9sW8zMkkONk3
hHQf1m7YvoO7l9hdPH/NO2z/qALFVczFGeXKatR+HdQuqHzrQanxGULCWXMc2ukC
vtE6kea/om3jAwep9gA1KCUNcd019oMbA4MQPdxzuX4zozMeIgsfRTl01y/tKgLA
V4dqoFWfRN+64507LosR65Vf6tEKxUajvmkb1/nFGWqBvTE+ljC+sWjWWKcTnm1r
D8aNv6CqMhnEB+xKXmlkTTrArpTaarAhXKVfY271yMXjW+H2Lq87Xg7VclFeba1z
n3W5r3hrySHQAtS8Fic6uw+e6DYTfEqBRm3TlfzFllwmQO67YpQeLOYj7/ZD+DL4
vbvLLUCc1/ZZkDt2DdeOVtUkRDXzsxJn8xjtxuqlU8xOQUl7MA1jnWWxkp4zyZ7H
cauhqA784rbNiT8pSohkt2G2o1MzThi3+c54cG3PFH11XOSG2nn8x6w50j+PKYuX
+c9mUfTGTezzVhkM6bPp+a87fGhmDkkJOCAFuMPRFdxpLok6w6yUqgyIh1Sa1wMp
+WYb5h96ZVTuVz38lJioInvxUpWIBlntFa88zJT8dtcuD48zepYyQjpMJNWLehBt
xktLXyiK0JjcGOG0dhDlf+l9Y6OgVFkH7KXM7THDcyqR8ixym6S8oqYp+qIQ/b7W
SiRYIqM77oKd
=Var5
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4312-1] squid security update
Previous by thread: [SECURITY] [DLA 4312-1] squid security update
Index(es):
- Date
- Thread