Debian security teams recently issued critical updates for both Pillow and ImageMagick to address serious flaws in these widely used image processing libraries. The advisory for Pillow specifically targets a denial of service vulnerability within its FITS support module on the current stable release. Meanwhile, extended maintenance advisories for older Debian versions patched numerous dangerous bugs that could allow attackers to execute arbitrary code or steal sensitive data. System administrators should apply these patches right away to keep their environments secure.

[DSA 6219-1] pillow security update
[DLA 4539-1] imagemagick security update
ELA-1657-1 imagemagick security update

[SECURITY] [DSA 6219-1] pillow security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6219-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pillow
CVE ID : CVE-2026-40192

It was discovered that missing input sanitising in the FITS support of
Pillow, a Python imaging library, could result in denial of service.

The oldstable distribution (bookworm) is not affected.

For the stable distribution (trixie), this problem has been fixed in
version 11.1.0-5+deb13u2.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pillow

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4539-1] imagemagick security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4539-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
April 19, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.11.60+dfsg-1.3+deb11u11
CVE ID : CVE-2026-25971 CVE-2026-25985 CVE-2026-26284 CVE-2026-26983
CVE-2026-28494 CVE-2026-28686 CVE-2026-28687 CVE-2026-28688
CVE-2026-28689 CVE-2026-28690 CVE-2026-28691 CVE-2026-28692
CVE-2026-28693 CVE-2026-30883 CVE-2026-30936 CVE-2026-30937
CVE-2026-31853 CVE-2026-32259 CVE-2026-32636 CVE-2026-33535
CVE-2026-33536

Multiple security vulnerabilities were discovered in imagemagick,
a software suite used for editing and manipulating digital images, which
could lead to symlink races, information leaks, denial of service
and potentially arbitrary code execution.

For Debian 11 bullseye, these problems have been fixed in version
8:6.9.11.60+dfsg-1.3+deb11u11.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1657-1 imagemagick security update

Package : imagemagick
Version : 8:6.9.10.23+dfsg-2.1+deb10u15 (buster)

Related CVEs :
CVE-2026-24481
CVE-2026-24484
CVE-2026-24485
CVE-2026-25576
CVE-2026-25638
CVE-2026-25795
CVE-2026-25796
CVE-2026-25797
CVE-2026-25798
CVE-2026-25799
CVE-2026-25897
CVE-2026-25898
CVE-2026-25965
CVE-2026-25968
CVE-2026-25970
CVE-2026-25982
CVE-2026-25983
CVE-2026-25986
CVE-2026-25987
CVE-2026-25988
CVE-2026-25989
CVE-2026-26066
CVE-2026-26283
CVE-2026-27799

Multiple security vulnerabilities were discovered in imagemagick, a
software suite used for editing and manipulating digital images, which
could lead to information leaks, bypass of security policies, denial of
service or arbitrary code execution.

ELA-1657-1 imagemagick security update