-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 06 Feb 2026 10:34:57 +0100 Source: nova Architecture: source Version: 2:31.0.0-6+deb13u2 Distribution: trixie-security Urgency: high Maintainer: Debian OpenStack Changed-By: Thomas Goirand Closes: 1128294 Changes: nova (2:31.0.0-6+deb13u2) trixie-security; urgency=high . * CVE-2026-24708/OSSA-2026-002: By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's flat image backend to call qemu-img without a format restriction resulting in an unsafe image resize operation that could destroy data on the host system. Appiled upstream patch (Closes: #1128294): - cve-2026-24708-make-disk.extend-pass-format-to-qemu-img-2025.1.patch Checksums-Sha1: 3bf370973e2ba316a2428971985115fb83ddde4e 4854 nova_31.0.0-6+deb13u2.dsc 9bfd90e7c79db45773b7ef1a24814974c9a0aa62 6124328 nova_31.0.0.orig.tar.xz 82bded559a32bbfc9668e5531e1cc21a7c2e57ca 72812 nova_31.0.0-6+deb13u2.debian.tar.xz 58b94664b73a353235906238a6692c645dcbeeaa 26107 nova_31.0.0-6+deb13u2_amd64.buildinfo Checksums-Sha256: ecf919d3a492522295f2ba5b414973fac45a6a47b71abc205ae65c9d6908857c 4854 nova_31.0.0-6+deb13u2.dsc 51662e6eafcb3a278f6629683494094f587188fda4e8812ab23709a30dc579bc 6124328 nova_31.0.0.orig.tar.xz e67f4ce1ba1f08a512ed01001ddcc7db0a6ea0c4bf036c8b904e9f08e57ae5dc 72812 nova_31.0.0-6+deb13u2.debian.tar.xz adbb0f0c959d567c11e685d74960f7001767a9975ffa7870e0e05ab1a34a6a6a 26107 nova_31.0.0-6+deb13u2_amd64.buildinfo Files: d9a8c7606a6a6aff48bee499c2e5f755 4854 net optional nova_31.0.0-6+deb13u2.dsc 3d75440c9b58a64b74b46a13a74c55ce 6124328 net optional nova_31.0.0.orig.tar.xz 3d7908ae40239183929571a037a54774 72812 net optional nova_31.0.0-6+deb13u2.debian.tar.xz e30fd70e2bd85ee5e80a2b8df1409aa7 26107 net optional nova_31.0.0-6+deb13u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmmUiB4ACgkQ1BatFaxr Q/6hVQ/8Dxti8mjRBuSa3xWak1+qr3XeCizIVrv1naHS5UXMcZlWHbcvO/mdEWJ+ R3cY0MFPHVZ17ltv/EL4TEh9ZtdFshCvrM5VpuQzrYBMZrfkclv1InWZsnrBp7rt Ip/AS6UXW03svx1RAb6X+DPg8XQ/+F81lkwrXStMTBmZRh7M1zQRfG9lDH86OZux bdo0rzFKmVih3nPvKLoRCKOFoRe1CMW8OgzzfVLgd7PpYsMEnAcUsV3QeHfA2SM1 /Mc0a9NibpLtnPdRcvWHoaVXGDgwRgJvCk4BCx0rwuU5VjMnL/FPsBanPqSVkAyI KnYJHbN31Z2GolkTxKdQmkuSnVKh+B6CorWqWpgecE2nFfgwL1uM3Sd9ZA5bRhDV 1/nsv2gruUxrjK0fTVpv3cfGdveqNGDwOqnSMDNY5e6WOodtBYv+ebuPw6zDUSzj cQPUGLexy982jnVdawnFh6tSo0nJjJKuhlUptJ9ohYbSuR9HOwFKGFksjVn4Q719 x9wNYdH3PBiQe6+HesWVscNXGe8O0L2it8o7VFb1WnbMTNSU4Zg06F69O/dgrQKu dmX4sdflh2XLnNQsm1FzU5I/iFSIWSeQ8sYUNq7BOQ4uBUHKqAnvsPsy3qnQGHw4 4QMBWH/nEotAjUQeVQTrcMdafEW0t+Jb1enhFcc3YBpNhCJ3yUY= =M5ja -----END PGP SIGNATURE-----