Candidate: CVE-2015-8860
PublicDate: 2017-01-23 21:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8860
Description:
 The tar package before 2.0.0 for Node.js allows remote attackers to write
 to arbitrary files via a symlink attack in an archive.
Ubuntu-Description:
 It was discovered that node-tar mishandled certain tar archives. An attacker
 could use this vulnerability to write arbitrary files to the filesystem.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mikesalvatore
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_node-tar:
 upstream: https://github.com/npm/node-tar/commit/a5337a6cd58a2d800fc03b3781a25751cf459f28
 upstream: https://github.com/npm/node-tar/issues/54
 upstream: https://github.com/npm/node-tar/pull/56
 upstream: https://github.com/npm/node-tar/pull/56/commits/5e6356e0ca256cba659ff24d0befbfe753a04cb6
 upstream: https://github.com/npm/node-tar/pull/56/commits/96355141e005fa192b4fd4c3134ec3bb824dfca8
upstream_node-tar: released (2.0.0)
precise_node-tar: ignored (reached end-of-life)
precise/esm_node-tar: DNE (precise was needed)
trusty_node-tar: ignored (reached end-of-life)
trusty/esm_node-tar: DNE (trusty was needed)

vivid/stable-phone-overlay_node-tar: DNE
vivid/ubuntu-core_node-tar: DNE
wily_node-tar: ignored (reached end-of-life)
xenial_node-tar: ignored (end of standard support, was needed)

yakkety_node-tar: ignored (reached end-of-life)
zesty_node-tar: ignored (reached end-of-life)
artful_node-tar: ignored (reached end-of-life)
bionic_node-tar: not-affected (2.2.1-1)
cosmic_node-tar: not-affected (2.2.1-1)
disco_node-tar: not-affected (2.2.1-1)
eoan_node-tar: not-affected (2.2.1-1)
focal_node-tar: not-affected (2.2.1-1)
groovy_node-tar: not-affected (2.2.1-1)
hirsute_node-tar: not-affected (2.2.1-1)
impish_node-tar: not-affected (2.2.1-1)
jammy_node-tar: not-affected (2.2.1-1)
devel_node-tar: not-affected (2.2.1-1)