I'm reluctant to raise this matter, but I think I have to.

netbsd-1-6 branch has GNU tar 1.11.2, which is known to have
a security issue.

Below is the summary of the situation.

I asked the possibility that pax-as-tar will be accepted
as a pullup request. The answer was "no" for several reasons
(In that time many issues remained and there's 64-bit platform issue.)

Then Matthias Scheler suggested the new version of GNU tar.
Although the suggestion was not a strong one, I sent a pullup request,
"[pullup-1-6 #1168] GNU tar 1.13.25" in February.

After that, James Chacon said:

> There is no way to apply the security fixes on the version on the 1.6
> branch? i.e. back porting them? Importing a new version to then patch seems
> like a bit of overkill if the patches could be worked in.

I answered:

> At least back porting is beyond my capacity. 
> I don't know how to do it because our package, -current and FreeBSD
> didn't back port the change. Instead, the new version was imported.

I understand that importing a new version is not good in general,
but at least something should be done.

I'm reluctant to raise this matter because I cannot back port nor
suggest another solution. (Sorry for that.) I would like to
emphasize that I am not critisizing the developers.

Any ideas?

Please Cc: me because I'm not subscribed.

toru