Processed: Re: Bug#1126260: trixie-pu: package jaraco.context/6.0.1-1+deb13u1
Processing control commands: > tags -1 + confirmed Bug #1126260 [release.debian.org] trixie-pu: package jaraco.context/6.0.1-1+deb13u1 Added tag(s) confirmed. -- 1126260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126260 Debian Bug Tracking System Contact [email protected] with problems
Bug#1126260: trixie-pu: package jaraco.context/6.0.1-1+deb13u1
Control: tags -1 + confirmed On Fri, 2026-01-23 at 12:29 +, Jeroen Ploemen wrote: > This update fixes the (non-dsa) path traversal vulnerability tracked > as CVE-2026-23949. The vulnerability may allow attackers to extract > files outside the intended extraction directory when malicious tar > archives are processed. Please go ahead. Regards, Adam
Bug#1126260: trixie-pu: package jaraco.context/6.0.1-1+deb13u1
Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected], [email protected] Control: affects -1 + src:jaraco.context User: [email protected] Usertags: pu This update fixes the (non-dsa) path traversal vulnerability tracked as CVE-2026-23949. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The only code change is a minimal backport of the upstream fix [2]. The patch is identical to the one used to fix the issue in unstable and low risk. All CI checks pass on trixie [3]. In addition, the update has been manually checked against new upstream testcases specifically testing for the security issue. [1]https://security-tracker.debian.org/tracker/CVE-2026-23949 [2]https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 [3]https://salsa.debian.org/jcfp/jaraco.context/-/pipelines/1011444 jaraco.context_6.0.1-1+deb13u1_source.debdiff Description: Binary data pgpSgBq6kecqb.pgp Description: OpenPGP digital signature
