Three packages have been affected by newly discovered vulnerabilities: nova, ca-certificates, and chromium. The nova vulnerability allows for data destruction on the host system due to unsafe image resize operations, while the chromium security issues result in potential code execution or information disclosure. Additionally, the ca-certificates package has been updated with new certificate authorities and removed expired ones to ensure secure SSL connections. Other packages, such as pillow, also have vulnerabilities that need to be addressed through upgrades.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1649-1 gimp security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4486-1] nova security update
[DLA 4485-1] ca-certificates CA certificates update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6146-1] chromium security update

Debian GNU/Linux 13 (Trixie):
[DSA 6147-1] pillow security update

[SECURITY] [DLA 4486-1] nova security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4486-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
February 20, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nova
Version : 2:22.4.0-1~deb11u7
CVE ID : CVE-2026-24708
Debian Bug : 1128294

Dan Smith discovered that nova, a cloud computing fabric controller,
calls qemu-img without format restrictions for resize, which may result
in unsafe image resize operations that could destroy data on the host
system. Only compute nodes using the Flat image backend are affected.

For Debian 11 bullseye, this problem has been fixed in version
2:22.4.0-1~deb11u7.

We recommend that you upgrade your nova packages.

For the detailed security status of nova please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nova

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4485-1] ca-certificates CA certificates update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4485-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
February 20, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ca-certificates
Version : 20230311+deb12u1~deb11u1
Debian Bug : 995432 1095913

ca-certificates a package that contains the certificate authorities
shipped with Mozilla's browser to allow SSL-based applications to check
for the authenticity of SSL connections, was updated

Mozilla certificate authority bundle was updated to version 2.60
The following certificate authorities were added (+):
+ "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+ "ANF Secure Server Root CA"
+ "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+ "Certainly Root E1"
+ "Certainly Root R1"
+ "Certum EC-384 CA"
+ "Certum Trusted Root CA"
+ "D-TRUST BR Root CA 1 2020"
+ "D-TRUST EV Root CA 1 2020"
+ "DigiCert TLS ECC P384 Root G5"
+ "DigiCert TLS RSA4096 Root G5"
+ "E-Tugra Global Root CA ECC v3"
+ "E-Tugra Global Root CA RSA v3"
+ "GlobalSign Root R46"
+ "GlobalSign Root E46"
+ "GLOBALTRUST 2020"
+ "HARICA TLS ECC Root CA 2021"
+ "HARICA TLS RSA Root CA 2021"
+ "HiPKI Root CA - G1"
+ "ISRG Root X2"
+ "Security Communication ECC RootCA1"
+ "Security Communication RootCA3"
+ "Telia Root CA v2"
+ "TunTrust Root CA"
+ "vTrus ECC Root CA"
+ "vTrus Root CA"
The following certificate authorities were removed (-):
- "Chambers of Commerce Root - 2008"
- "Cybertrust Global Root" (expired)
- "EC-ACC"
- "GeoTrust Primary Certification Authority - G2"
- "Global Chambersign Root - 2008"
- "GlobalSign Root CA - R2" (expired)
- "Hellenic Academic and Research Institutions RootCA 2011"
- "Network Solutions Certificate Authority"
- "QuoVadis Root CA"
- "Sonera Class 2 Root CA"
- "Staat der Nederlanden EV Root CA" (expired)
- "Staat der Nederlanden Root CA - G3"
- "Trustis FPS Root CA"
- "VeriSign Universal Root Certification Authority"

This update add also 2 Sectigo roots that are in active use and causing
interop issues; these roots were included in the Mozilla bundle
version 2.62:
+ Sectigo Public Server Authentication Root E46
+ Sectigo Public Server Authentication Root R46

The expired root certificate "DST Root CA X3" was blacklisted.

Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system administrator.

For Debian 11 bullseye, this problem has been fixed in version
20230311+deb12u1~deb11u1.

We recommend that you upgrade your ca-certificates packages.

For the detailed security status of ca-certificates please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ca-certificates

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DSA 6147-1] pillow security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6147-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pillow
CVE ID : CVE-2026-25990

Yarden Porat discovered that missing input sanitising in the PSD support
of Pillow, a Python imaging library, could result in denial of service
or the execution of arbitrary code if malformed images are processed.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 11.1.0-5+deb13u1.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pillow

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6146-1] chromium security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6146-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
February 20, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2026-2648 CVE-2026-2649 CVE-2026-2650

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the oldstable distribution (bookworm), these problems have been fixed
in version 145.0.7632.109-1~deb12u3.

For the stable distribution (trixie), these problems have been fixed in
version 145.0.7632.109-1~deb13u3.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

ELA-1649-1 gimp security update

Package : gimp
Version : 2.8.18-1+deb9u8 (stretch), 2.10.8-2+deb10u7 (buster)

Related CVEs :
CVE-2026-2239
CVE-2026-2271
CVE-2026-2272

Several vulnerabilities were discovered in GIMP, the GNU Image
Manipulation Program, which could result in denial of service or
potentially the execution of arbitrary code if malformed PSD, PSP or ICO
files are opened.

ELA-1649-1 gimp security update