Your message dated Mon, 13 Oct 2025 18:20:48 +0000
with message-id <[email protected]>
and subject line Bug#1116338: fixed in node-tar-fs 3.0.9+~cs2.0.4-1+deb13u1
has caused the Debian Bug report #1116338,
regarding node-tar-fs: CVE-2025-59343
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar-fs
Version: 3.0.9+~cs2.0.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2025-59343[0]:
| tar-fs provides filesystem bindings for tar-stream. Versions prior
| to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation
| bypass if the destination directory is predictable with a specific
| tarball. This issue has been patched in version 3.1.1, 2.1.4, and
| 1.16.6. A workaround involves using the ignore option on non
| files/directories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59343
https://www.cve.org/CVERecord?id=CVE-2025-59343
[1] https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
[2]
https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar-fs
Source-Version: 3.0.9+~cs2.0.4-1+deb13u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar-fs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-tar-fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Sep 2025 22:58:19 +0200
Source: node-tar-fs
Binary: node-tar-fs
Architecture: source all
Version: 3.0.9+~cs2.0.4-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Description:
node-tar-fs - Node.js module that provides filesystem-like access to tar files
Closes: 1116338
Changes:
node-tar-fs (3.0.9+~cs2.0.4-1+deb13u1) trixie-security; urgency=medium
.
* Team upload
* Apply fix for CVE-2025-59343 (Closes: #1116338)
Checksums-Sha1:
c10712bc4c8cb45cdebdcdc5317815a231b003f8 2554
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.dsc
7c7502d281d436db0ad0f78282acef71da02a292 2030
node-tar-fs_3.0.9+~cs2.0.4.orig-types-tar-fs.tar.gz
d50b93c2d45a00f2bcbd4ca8013a776c1d999f79 8495
node-tar-fs_3.0.9+~cs2.0.4.orig.tar.gz
5b70795825de1bc91f6d196cdb0dd0cce31de5c4 5524
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.debian.tar.xz
24fe4485c8368632e3d8ca2e31bff788e7a95961 9124
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_all.deb
2dcb41404a8655d121e747e5fdb75665cbc33a04 18245
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
96fa3b80d4541c71ea3d64ce5a2d0ce06604a5d5aee89ee05ff9151011f6dba9 2554
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.dsc
e1605173a3c96d4ec6eb6b2e5133f2922974ea5f9a88064b73f84418f55fb68a 2030
node-tar-fs_3.0.9+~cs2.0.4.orig-types-tar-fs.tar.gz
98fd20ced014214f4fdf553ad50c54bd856684e0d2befe0cd0ccba24a92475d8 8495
node-tar-fs_3.0.9+~cs2.0.4.orig.tar.gz
0e2f70d9c0c12606d313833d9ff00c52036a33d3ce961d6eebc936fa794ed92c 5524
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.debian.tar.xz
574cdb1257c8f6b3f00c39d63ee55a44390b848c69df654523f351d26d1c81a5 9124
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_all.deb
ed887fd89fc43f1b92f9ce092a9c7052c90400ef0193257de2d916d0c718fd55 18245
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_amd64.buildinfo
Files:
8e0de2cc53add187fdf58676cd0c606f 2554 javascript optional
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.dsc
a3378715663e617e26dd24772001190c 2030 javascript optional
node-tar-fs_3.0.9+~cs2.0.4.orig-types-tar-fs.tar.gz
02279eb0da1618880b03f7d6351ffc9f 8495 javascript optional
node-tar-fs_3.0.9+~cs2.0.4.orig.tar.gz
ae2ab0dcce4a8829c8ef518a38f2aedf 5524 javascript optional
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.debian.tar.xz
79ff4c73776151fbc760c678489c51ef 9124 javascript optional
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_all.deb
0dbf85e96d4f6adcfc53e937aae0ccc8 18245 javascript optional
node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmjYBn4ACgkQ9tdMp8mZ
7unVZw//eiKSTqJ3HJMu+Y4alseLZcTUZHjTcqbG04ViHMnbCtwNgQvq4nT0HqKt
6DiEzaVTZQj/Rxpu3gjz4GEvQntNZ0ZeiT37EPBA0+3tgJCeMkYI+4+EoHnwfGDh
2liifL+c5BIlyIz+EDzpEPzHSNbWLkyctWxqxQ4yl6vM1EoJdG4BgDa9Rj4K1C0m
TFfEVs+1cPWdZxyRvhMyi0pFpPrDFM3cz2NOoIZ0H+w5lhhL+n4SrVnSCUCsX8uZ
mVEUHOfy4otH+N79wB3+qQ70f3ZvBYcAjYFdwWNwtXATOkztMl8EavqET9ytbfob
ydSrV9F/s9QaOeKuDz/ijTnl4SMkIY4zwJniglswR5WrKOIJnmIJEu32xLtRi+DW
FzcGDAFNf/v2ZpfNMS1F6lQwLYwtY+jSut3RsA432404Kkwt50YwqKPg5LRffm6R
ePU4ysT0BiLjAGFmH0XW9DbBIhUC9PndBj2X/c/T9ExxPjUmv5lnPa/+Jf6625eS
he3VU+GJWs/05dP6nD9RogWukk/ncqFkuKB+21MnXmrT+ju4bZCsfN6BHi3oIYmw
vVmte3lBh1mtbhd08l2RS6fHriIdDrzLEcCAbVm3MzojFL/FlrIjsnDnzqfkeHaZ
zcSeh6oqs9cNXKBAvHaME5AFXEwxvP4HKdS5xn3bTW4fKCtiE+k=
=ZiWV
-----END PGP SIGNATURE-----
pgpEnchljc0VW.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
