-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 01 Mar 2026 16:11:43 +0900 Source: calibre Architecture: source Version: 8.5.0+ds-1+deb13u2 Distribution: trixie Urgency: medium Maintainer: Calibre maintainer team Changed-By: YOKOTA Hiroshi Changes: calibre (8.5.0+ds-1+deb13u2) trixie; urgency=medium . * CVE-2026-25635: CHM Input: Ignore internal files that have paths that end up outside the container * CVE-2026-25636: DRYer * CVE-2026-25731: ZIP Output: Change the template engine used for HTML templating from templite to Mustache, for greater safety and performance. Note that this is a breaking change if you use custom templates with ZIP output. * Use pystache instead of templite to fix CVE-2026-25731 * Add NEWS about CVE-2026-25731 fix * CVE-2026-26064: ODT Input: Ensure images are extracted within container * CVE-2026-26065: PDB Input: Ensure extracted images are within the container * CVE-2026-27810: Content server: Sanitize content disposition received as query parameter * CVE-2026-27824: Content server: When banning IPs for repeated login is enabled, only use the IP address not any HTTP headers as the ban key Checksums-Sha1: 93021a2916503da4b2c9676133f962c3daaa60d2 3681 calibre_8.5.0+ds-1+deb13u2.dsc 7e0ce1d3f17e7038a8310685bf5403c4720e7ce5 892520 calibre_8.5.0+ds-1+deb13u2.debian.tar.xz 469e8c699965b42d7d95bf0959f2d30961d1d5ca 23739 calibre_8.5.0+ds-1+deb13u2_source.buildinfo Checksums-Sha256: 3b1e45295a00d845cb3abfc047343f88e20df81cf7ded1876384cfa300721a02 3681 calibre_8.5.0+ds-1+deb13u2.dsc 7229808a1384892fdb1ee52fcbd93224432b3fe65728f0a9c8af0bfb3847a944 892520 calibre_8.5.0+ds-1+deb13u2.debian.tar.xz 5e293069ce0b71d7136de0e6e4311375f8a9bf8d8001584506a1600d771cbe22 23739 calibre_8.5.0+ds-1+deb13u2_source.buildinfo Files: 544b6b600a6472ed0a00cc81e48592d1 3681 text optional calibre_8.5.0+ds-1+deb13u2.dsc 10ef81289f3c74cd756b266a1dbb96c0 892520 text optional calibre_8.5.0+ds-1+deb13u2.debian.tar.xz 8cd1d1ae3e7cfc62e8b230dbcbc929ba 23739 text optional calibre_8.5.0+ds-1+deb13u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmnSgMoWHHlva290YS5o Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tyjw5EACkjr9UW+m6vXcdDOxfaFsuiA6o KHBNKn446qhiDas7U3frDxDZ/vshTiiW1mWPMdiuDGhyd2aKH+oF3G5z9IADfr1V KbDH7XVWuxr+mvqpDfpPkiUm8PlxngTeWh9IzTV0GtXpUNfu3/LPpOl4UGNZ7xFR mGR18vFz+7IMmx7CDwgXF2oPJis8Gqq2vprAWOb6fIIKDJ9GVr2tOLQ8RId/9qtm UupE2J/zwXSYM29gUksxpr/R5IK4XWJuwLp7ZiluywqKDy8jZWNM+ZPp+u+M8azD hnxW8CTdy8Qyujm9zjIpgRESBM3Z2zyULjS8E7kHV/ZdF9tkUUIfsAA4gdvRT+2B wekrb04bwgYKklKtLdXXuUjUkv1dJrwyISmLOWN/Y6H5bOgifzUIKcRh8A2IUrjZ eylTxzhmwu3JosQ9Ve8wmciJJwjxVNR98KNKun7+RjrQvQu+Re03vLwbQS3DfyQK bsjbNnzUWfaFPyYJyX3rMcMQt0KyHCG28hyxY8QzRZ7Rz5NfXTC13MHmc6Gz4hxb gkfh6m4sYqcoYcDmvfx9OrhC7zMmQO9K+gaOoKysZ93+QOj79ExFgcrww65RgIKW kj6y609hDwgUwMcE4YC9xJoXfiB9O9Sxk0ZnoBPaIIAaGdZGRGjajIevEIKX4ua4 mT3hRFVuwmQ2XyakxQ== =Mg9A -----END PGP SIGNATURE-----