Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
https://www.drupal.org/sa-core-2020-013
https://www.debian.org/security/2020/dsa-4817
https://security.gentoo.org/glsa/202101-23
https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html