Debian has released multiple security advisories to address vulnerabilities in various packages. The affected packages include nova, inetutils, libvpx, gegl, and python-django, which have been fixed in versions 2:26.2.2-1deb12u4, 2:2.6-3+deb13u2, 1.15.0-2.1+deb13u1, 1:0.4.62-2+deb13u2, and 2:2.2.28-1deb11u12, respectively. These updates are recommended to prevent potential Denial of Service attacks, SQL injection, and other security risks. Users can refer to the Debian Security Tracker pages for detailed security information about each package.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1648-1 python-django security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4484-1] python-django security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6145-1] nova security update
[DSA 6143-1] libvpx security update
[DSA 6142-1] gegl security update

Debian GNU/Linux 13 (Trixie):
[DSA 6144-1] inetutils security update

[SECURITY] [DSA 6145-1] nova security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6145-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nova
CVE ID : CVE-2026-24708
Debian Bug : 1128294

Dan Smith discovered that nova, a cloud computing fabric controller,
calls qemu-img without format restrictions for resize, which may result
in unsafe image resize operations that could destroy data on the host
system. Only compute nodes using the Flat image backend are affected.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2:26.2.2-1~deb12u4.

For the stable distribution (trixie), this problem has been fixed in
version 2:31.0.0-6+deb13u2.

We recommend that you upgrade your nova packages.

For the detailed security status of nova please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/nova

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6144-1] inetutils security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6144-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : inetutils
CVE ID : not yet available

Ron Ben Yizhak discovered that the inetutils implementation of telnetd
didn't sanitise the CREDENTIALS_DIRECTORY environment variable before
passing it to the login binary. This could be exploited to bypass
authentication and login as root.

For the stable distribution (trixie), this problem has been fixed in
version 2:2.6-3+deb13u2.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6143-1] libvpx security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6143-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2026-2447

A buffer overflow was discovered in libvpx, a library implementing the
VP8/VP9 open video codecs, which could result in denial of service or
potentially the execution of arbitrary code.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.12.0-1+deb12u5.

For the stable distribution (trixie), these problems have been fixed in
version 1.15.0-2.1+deb13u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6142-1] gegl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6142-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gegl
CVE ID : CVE-2026-2049 CVE-2026-2050

A heap-based buffer overflow was discovered in the RGBE/HDR parser of
GEGL, a graph-based image processing library, which could result in
denial of service or the execution of arbitrary code if malformed files
are processed.

For the oldstable distribution (bookworm), this problem has been fixed
in version 1:0.4.42-2+deb12u2.

For the stable distribution (trixie), this problem has been fixed in
version 1:0.4.62-2+deb13u2.

We recommend that you upgrade your gegl packages.

For the detailed security status of gegl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gegl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4484-1] python-django security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4484-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 19, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 2:2.2.28-1~deb11u12
CVE IDs : CVE-2025-13473 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287 CVE-2026-1312 CVE-2025-6069 CVE-2025-57833

It was discovered that there were multiple vulnerabilities in Django,
the Python-based web-development framework:

- - CVE-2025-13473: The check_password function in
django.contrib.auth.handlers.modwsgi for authentication via
mod_wsgi allowed remote attackers to enumerate users via a timing
attack.

- - CVE-2026-1207: Raster lookups on RasterField (only implemented on
PostGIS) allowed remote attackers to inject SQL via the band index
parameter.

- - CVE-2026-1285: The django.utils.text.Truncator.chars() and
Truncator.words() methods (with html=True) and the
truncatechars_html and truncatewords_html template filters allowed
a remote attacker to cause a potential denial-of-service via
crafted inputs containing a large number of unmatched HTML end
tags.

- - CVE-2026-1287: FilteredRelation was subject to SQL injection in
column aliases via control characters using a suitably crafted
dictionary, with dictionary expansion, as the **kwargs passed to
QuerySet methods annotate(), aggregate(), extra(), values(),
values_list() and alias().

- - CVE-2026-1312: QuerySet.order_by() was subject to SQL injection
in column aliases containing periods when the same alias is, using
a suitably crafted dictionary, with dictionary expansion, used in
FilteredRelation.

In addition, the fix for CVE-2025-6069 in the python3.9 source
package (released as part of a suite of updates in DLA 4445-1)
modified Python's html.parser.HTMLParser class in such a way that
changed the behaviour of Django's strip_tags() method in some edge
cases that were tested by Django's testsuite. As a result of this
regression, we have updated the testsuite for the new expected
results.

For Debian 11 bullseye, this problem has been fixed in version
2:2.2.28-1~deb11u12.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1648-1 python-django security update

Package : python-django
Version : 1:1.10.7-2+deb9u30 (stretch), 1:1.11.29-1+deb10u19 (buster)

Related CVEs :
CVE-2025-13473
CVE-2026-1207
CVE-2026-1285
CVE-2026-1287
CVE-2026-1312

It was discovered that there were multiple vulnerabilities in Django, the Python-based web-development framework:


CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.


CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter.


CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.


CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias().


CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.


In addition, The fix for CVE-2025-6069 in the python3.9 source package which modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django’s strip_tags() method in some edge cases that were tested by Django’s testsuite. As a result of this regression, we have updated the testsuite for the new expected results.

ELA-1648-1 python-django security update