-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 06 Feb 2026 11:19:03 +0100 Source: nova Architecture: source Version: 2:26.2.2-1~deb12u4 Distribution: bookworm-security Urgency: high Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1128294 Changes: nova (2:26.2.2-1~deb12u4) bookworm-security; urgency=high . * CVE-2026-24708/OSSA-2026-002: By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Appiled upstream patch (Closes: #1128294): - cve-2026-24708-make-disk.extend-pass-format-to-qemu-img-2024.2.patch Checksums-Sha1: ba59043699664761c2ef2db2295257ddd0c73cd5 5096 nova_26.2.2-1~deb12u4.dsc a6796c58f74ec57267a33af7b0db4e63e6bfb552 6000800 nova_26.2.2.orig.tar.xz 869a7ded107c18cea5405a783966a02afda8d6b6 90292 nova_26.2.2-1~deb12u4.debian.tar.xz c9fd117ee661720b661f81c408eb8a4c028d6426 23657 nova_26.2.2-1~deb12u4_amd64.buildinfo Checksums-Sha256: 5cfb8905c68ea9f30650d78ecfe319d72c41b2826e4d18c6bc0e83e1e6ef6df6 5096 nova_26.2.2-1~deb12u4.dsc d0fab415e15bfa70089b22e094d88ed3c7b66df0742bec52b4d9ff789e347571 6000800 nova_26.2.2.orig.tar.xz 422e158d60ecb353e5ec4f797d31152eb239a0a11bfd59c96bf4978e71aec93a 90292 nova_26.2.2-1~deb12u4.debian.tar.xz 6da4ee5c6683a754eeb679ff1f3208c29601762161caef0b026fe02bafbc0918 23657 nova_26.2.2-1~deb12u4_amd64.buildinfo Files: e6c7887705c1e2e0ee1bffd12f9da0a0 5096 net optional nova_26.2.2-1~deb12u4.dsc fddc994a8d3d81c2c41a93eafad1ea29 6000800 net optional nova_26.2.2.orig.tar.xz 82f9764156d5840af570f3ba771a861a 90292 net optional nova_26.2.2-1~deb12u4.debian.tar.xz f84f1945dfca74811920cd0f302b3612 23657 net optional nova_26.2.2-1~deb12u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3+Kkgn20FPaRPp/ST56os/RrPrsFAmmUjjgACgkQT56os/Rr PrssyRAAlbirFXOPfXkrl8G0VHgev7UtDWYEoGveunsQOPdBSpvDl0xb9zmtcSDg 64hIC3zLUEGaTq5eC4af3CljTCPxpFYrMc7IUkhdq8Lv+J8Oi6UF8XXFu9qjZeBC MofeDupM5pc5OXCItWuhsFlBumbQzGQpLmZOpxyygLh+nWzqaT9EZXz87xiyb1rZ DgOaS8NjXr/gYXkw3i+khxr1gPJX26pX2/l/jpA8uX7F32fW8Gy8rlcub8CSnl67 G+yeawT62Q9MQB7N4CAMpIXCK6eAEMUczHIt+n/SCCt45m3pOh/xNwTKmcpHTEC1 +MPWhCiMd3u3+pKrp1J6I1eg8F9A3tEiy8qpuPujpfluPefo+teml75qLK+6bQln SbwGyDhDcSwKf7BUK3CVkihiySZaA8jLf5aqqLYNqY1rm90VFdFyZZEgY5NAfm/k I/aitkmi+z2i38dSDDMh/b9IbIMxaueTBavaVenOu00hRShIybJPQYBMl1g9jNa3 n/Vn3h74YwtlUC4SCgQH7G/6rfQuxX4d8exn/Z8KZ25r+GoCGr0L1lKX6ajB+8+p 2Bvs0KYLR8ePwpmgbUr+ml/08vg9FlFWotjrrEqomk9ghn+BOxsGSnJ/U6TrRmwy THuXHWaYWcRJdwZHg/IwcMGChDTN/RVG9iDyfPkQsXV75KnzD7s= =HCuM -----END PGP SIGNATURE-----