Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted nova 2:22.4.0-1~deb11u6 (source) into oldoldstable-security
Date: Thu, 19 Feb 2026 23:10:24 +0000
Signed by: Thomas Goirand <zigo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Feb 2026 00:17:40 +0100
Source: nova
Architecture: source
Version: 2:22.4.0-1~deb11u6
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1128294
Changes:
 nova (2:22.4.0-1~deb11u6) bullseye-security; urgency=medium
 .
   * CVE-2026-24708/OSSA-2026-002: By writing a malicious QCOW header to a root
     or ephemeral disk and then triggering a resize, a user may convince Nova's
     flat image backend to call qemu-img without a format restriction resulting
     in an unsafe image resize operation that could destroy data on the host
     system. Appiled upstream patch (Closes: #1128294):
     - cve-2026-24708-make-disk.extend-pass-format-to-qemu-img-2024.2.patch
Checksums-Sha1:
 63bf6290f6ae533f7fa32ab1dfc60b3396205e8d 5354 nova_22.4.0-1~deb11u6.dsc
 2eb0b543094e6932b83cd43f728cc38e7f97cd7f 108116 nova_22.4.0-1~deb11u6.debian.tar.xz
 4f72f769b6335f8f40a21d8f6d9440a5e36524a7 24574 nova_22.4.0-1~deb11u6_amd64.buildinfo
Checksums-Sha256:
 c93585ac8eb3c18201aae261ff1568d3e14fcebbc850cca4ef2ed90b5b658ab4 5354 nova_22.4.0-1~deb11u6.dsc
 a0e87c47da533d1da2a35f3e891e6e812eb3cc227236e625b30c13c14c6bc9ee 108116 nova_22.4.0-1~deb11u6.debian.tar.xz
 d259d5f48f2f583ff90f169b5032dd9d90c6ce950b0e5264bd5c4cb351d3266e 24574 nova_22.4.0-1~deb11u6_amd64.buildinfo
Files:
 0816ff66b209ffad0b67fe35f6e3ab0e 5354 net optional nova_22.4.0-1~deb11u6.dsc
 a3ffa6f62b7e5ef5ee862542f359151b 108116 net optional nova_22.4.0-1~deb11u6.debian.tar.xz
 b95c8f63ecd983533968376c6ef4fb86 24574 net optional nova_22.4.0-1~deb11u6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmmXlCcACgkQ1BatFaxr
Q/43fA/8Cvcyy81x0NW2qIg6TNjId7FPxuKaqOC+HrPnzWLxUbWS0Xo5X7GrfLGT
eCKNzSPMyTfy/TLW5yusNwWumQJO8ue9wJTgEYyhePcDFw3fnEpVSID3BZ20NuDw
wcI2BWZr3WWivhePFd2D/k+QMpbdR9I1bpyRSetWm1KR3rM1cazChiOykEA8kLbH
oaYvsXRaWPW9SY/xuXam7zgz56YcT2RvTdH8jXnpueiZfupNIctoBGmXk+VipMV+
WJyEsc4WZAQD/VJe1NcG7Kk9r2+b7N/Zhy2UpcAYXQ3iy4LDyOhoLjbpIPqoSYdM
ZHJ1QngcQF8+9P4fNZd+hB5iedtPHKGnZoV7PKKAVdEyt/YInH0HTuv/ea1ZnxlS
ntEJKRvmhVDf2l9FYdJm/O2k5sbHns5T6pPGIYfuqUymCKjZka9DDZfHLPriTmWS
T++r9pTLoHL5Oepz8V4ZTHNBzohNZF0oFgKdWLrf4WQ56Xof7S4mexxK6T9h7Mn5
jbthJMEND001odgE0gTZ2lLHiTuRL8xURg41VUyrx6wFQ8jXgdpj+6AkvqCLdL9v
7Y+NdCq1PbExvAKNVMvXQznJi/X9nY30YmuwXz36ser5leAysnuyMfphHNCGxdEX
OSw3okedg+TBh1NaonVBvFlNcH68eZNvSJbG7lJT4biK5TguPA8=
=Byde
-----END PGP SIGNATURE-----

News for package nova