calibre - Debian Package Tracker

general

source: calibre (main)
version: 9.9.0+ds+~0.10.6-1
maintainer: Calibre maintainer team (DMD)
uploaders: YOKOTA Hiroshi [DMD] [DM] – Nicholas D Steeves [DMD] – Martin Pitt [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.12.0+dfsg-1+deb11u2
o-o-sec: 5.12.0+dfsg-1+deb11u4
o-o-p-u: 5.12.0+dfsg-1+deb11u2
oldstable: 6.13.0+repack-2+deb12u6
old-p-u: 6.13.0+repack-2+deb12u9
stable: 8.5.0+ds-1+deb13u2
stable-bpo: 8.16.2+ds+~0.10.5-3~bpo13+1
stable-p-u: 8.5.0+ds-1+deb13u3
testing: 9.8.0+ds+~0.10.6-2
unstable: 9.9.0+ds+~0.10.6-1

versioned links

5.12.0+dfsg-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.12.0+dfsg-1+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.13.0+repack-2+deb12u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.13.0+repack-2+deb12u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.0+ds-1+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.5.0+ds-1+deb13u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.16.2+ds+~0.10.5-3~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.8.0+ds+~0.10.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.9.0+ds+~0.10.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

calibre (29 bugs: 0, 19, 10, 0)
calibre-bin

action needed

6 security issues in bullseye high

There are 6 open security issues in bullseye.

5 important issues:

CVE-2026-27810: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.
CVE-2026-27824: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
CVE-2026-30853: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
CVE-2026-33205: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
CVE-2026-33206: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

1 ignored issue:

CVE-2026-25731: calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.

Created: 2026-02-20 Last update: 2026-05-29 02:03

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit c326f2a7323738175fc9016dd86dfe0c607e8c5c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri May 29 22:22:49 2026 +0000

    Bump zeroconf from 0.148.0 to 0.149.7
    
    Bumps [zeroconf](https://github.com/python-zeroconf/python-zeroconf) from 0.148.0 to 0.149.7.
    - [Release notes](https://github.com/python-zeroconf/python-zeroconf/releases)
    - [Changelog](https://github.com/python-zeroconf/python-zeroconf/blob/master/CHANGELOG.md)
    - [Commits](https://github.com/python-zeroconf/python-zeroconf/compare/0.148.0...0.149.7)
    
    ---
    updated-dependencies:
    - dependency-name: zeroconf
      dependency-version: 0.149.7
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>

Created: 2026-05-30 Last update: 2026-06-07 23:02

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-05-31 Last update: 2026-06-07 23:01

lintian reports 974 warnings normal

Lintian reports 974 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-22 Last update: 2026-05-29 04:31

AppStream hints: 2 warnings for calibre normal

AppStream found metadata issues for packages:

calibre: 2 warnings

You should get rid of them to provide more metadata about this software.

Created: 2025-08-10 Last update: 2025-08-10 23:01

debian/patches: 4 patches to forward upstream low

Among the 23 debian patches available in version 9.9.0+ds+~0.10.6-1 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-07-20 Last update: 2026-05-29 06:47

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2026-30853: (needs triaging) calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
CVE-2026-33205: (needs triaging) calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
CVE-2026-33206: (needs triaging) calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-08 Last update: 2026-05-29 02:03

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2025-01-12 00:33

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status: Blocked. Can't migrate due to a non-migratable dependency. Check status below.
- Blocked by: pyqt6
- Migration status for calibre (9.8.0+ds+~0.10.6-2 to 9.9.0+ds+~0.10.6-1): BLOCKED: Cannot migrate due to another item, which is blocked (please check which dependencies are stuck)
- Issues preventing migration:
- ∙ ∙ Depends: calibre pyqt6 (not considered)
- ∙ ∙ Invalidated by dependency
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/calibre.html
- ∙ ∙ Autopkgtest skipped on ppc64el: not installable (which is allowed)
- ∙ ∙ Autopkgtest skipped on riscv64: not installable (which is allowed)
- ∙ ∙ Autopkgtest skipped on s390x: not installable (which is allowed)
- ∙ ∙ Autopkgtest for calibre/9.9.0+ds+~0.10.6-1: amd64: Pass, arm64: Pass, i386: Pass
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 10 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-06-02] Accepted calibre 8.5.0+ds-1+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-31] Accepted calibre 6.13.0+repack-2+deb12u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-28] Accepted calibre 9.9.0+ds+~0.10.6-1 (source) into unstable (YOKOTA Hiroshi)
[2026-05-25] Accepted calibre 6.13.0+repack-2+deb12u8 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-24] Accepted calibre 6.13.0+repack-2+deb12u7 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-24] calibre 9.8.0+ds+~0.10.6-2 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted calibre 9.8.0+ds+~0.10.6-2 (source) into unstable (YOKOTA Hiroshi)
[2026-05-21] calibre 9.8.0+ds+~0.10.6-1 MIGRATED to testing (Debian testing watch)
[2026-05-13] Accepted calibre 9.8.0+ds+~0.10.6-1 (source) into unstable (YOKOTA Hiroshi)
[2026-05-13] Accepted calibre 9.8.0+ds+~0.10.5-5 (source) into unstable (YOKOTA Hiroshi)
[2026-05-12] Accepted calibre 9.8.0+ds+~0.10.5-4 (source) into unstable (YOKOTA Hiroshi)
[2026-05-12] Accepted calibre 9.8.0+ds+~0.10.5-3 (source) into unstable (YOKOTA Hiroshi)
[2026-05-11] Accepted calibre 9.8.0+ds+~0.10.5-2 (source) into unstable (YOKOTA Hiroshi)
[2026-05-03] calibre 9.8.0+ds+~0.10.5-1 MIGRATED to testing (Debian testing watch)
[2026-05-02] Accepted calibre 6.13.0+repack-2+deb12u6 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-02] Accepted calibre 8.5.0+ds-1+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: YOKOTA Hiroshi)
[2026-05-01] Accepted calibre 9.8.0+ds+~0.10.5-1 (source) into unstable (YOKOTA Hiroshi)
[2026-04-29] Accepted calibre 5.12.0+dfsg-1+deb11u4 (source amd64 all) into oldoldstable-security (Abhijith PA)
[2026-04-13] calibre 9.7.0+ds+~0.10.5-2 MIGRATED to testing (Debian testing watch)
[2026-04-11] Accepted calibre 9.7.0+ds+~0.10.5-2 (source) into unstable (YOKOTA Hiroshi)
[2026-04-10] Accepted calibre 9.7.0+ds+~0.10.5-1 (source) into unstable (YOKOTA Hiroshi)
[2026-04-08] calibre 9.6.0+ds+~0.10.5-6 MIGRATED to testing (Debian testing watch)
[2026-04-06] Accepted calibre 9.6.0+ds+~0.10.5-6 (source) into unstable (YOKOTA Hiroshi)
[2026-04-03] calibre 9.6.0+ds+~0.10.5-5 MIGRATED to testing (Debian testing watch)
[2026-03-31] Accepted calibre 9.6.0+ds+~0.10.5-5 (source) into unstable (YOKOTA Hiroshi)
[2026-03-31] Accepted calibre 9.6.0+ds+~0.10.5-4 (source) into unstable (YOKOTA Hiroshi)
[2026-03-29] Accepted calibre 9.6.0+ds+~0.10.5-3 (source) into unstable (YOKOTA Hiroshi)
[2026-03-28] Accepted calibre 9.6.0+ds+~0.10.5-2 (source) into unstable (YOKOTA Hiroshi)
[2026-03-27] Accepted calibre 9.6.0+ds+~0.10.5-1 (source) into unstable (YOKOTA Hiroshi)
[2026-03-18] calibre 9.5.0+ds+~0.10.5-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 30
RC: 0
I&N: 19
M&W: 10
F&P: 1
patch: 0

links

homepage
lintian (0, 974)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
l10n (-, 30)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.1+ds+~0.10.5-2build1