Debian alert DLA-4486-1 (nova) [LWN.net]


From:
               Carlos Henrique Lima Melara <charles@debian.org>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 4486-1] nova security update
Date:
               Fri, 20 Feb 2026 23:42:54 -0300
Message-ID:
               <aZkbjHr7QEOg-EOC@fw13.lan>
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4486-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/          Carlos Henrique Lima Melara
February 20, 2026                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : nova
Version        : 2:22.4.0-1~deb11u7
CVE ID         : CVE-2026-24708
Debian Bug     : 1128294

Dan Smith discovered that nova, a cloud computing fabric controller,
calls qemu-img without format restrictions for resize, which may result
in unsafe image resize operations that could destroy data on the host
system. Only compute nodes using the Flat image backend are affected.

For Debian 11 bullseye, this problem has been fixed in version
2:22.4.0-1~deb11u7.

We recommend that you upgrade your nova packages.

For the detailed security status of nova please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nova

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmmZG60ACgkQt4M9ggJ8
mQvnuw//Wn1kJXrU/z+U/XONH4OiSLKi80ay3VbGUrMtoIKXRCHZ515/5LHqyfEj
duQ4efSyXk0d9dwGpI56kG6dPgHxI+0RRyvGhhmiElNwp4OsMVA895BEKyBDNyWZ
rtjBFZbNdFL4I2bTD1OL7sez0UKDqY28pjYCD2eGq8s1jOvZxJqjmHvkAG3GqVG0
GuLyln+8ZDwEyx/+uJ8iR0Oq4i58dWOTLJ6OcUnSlCJ5aMreZwXLqQJLMHs7stBD
olwHDqQ/MS4QJt8qDG3FlS6FPeEwAoq6XXfKWAM09r7Rp7HPwLDBadCxk4aNZGzw
tJqXiftg6oSMGe6LzmUKeYyjU3XikANBQGdTc9mz1pb25XyIwDBhH5+5nmoh80Mt
/qK4SCzkKnc0+b0E9ctKuMylCPLWAxiDESV93VygaovLgo6tzjIC3urL2XVcjbNj
hFBjlJWoiAp/+geRnNTwKJacnD+HozdGR9IVI2bKA7DBZkBJ9MHX2iWlPB7uGkTA
iSqa53vEhqKrruuQLPiCShGX/Q0k5zIMYWX4kYDsn/QlSJyX7s3MCnqEZt9H6u6I
zpm5fewVIcSJOD8JdrE2eY/fhAxKVqXyi2Y5ujz4Kfk1UuupFRlyx/VrINPn2n+6
xsWmJRy6JpJvoTyCOGAOO4HlqQ8OwecpNYsFf4+hlKWuqTNpma8=
=JWNY
-----END PGP SIGNATURE-----

From:		Carlos Henrique Lima Melara <charles@debian.org>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 4486-1] nova security update
Date:		Fri, 20 Feb 2026 23:42:54 -0300
Message-ID:		<aZkbjHr7QEOg-EOC@fw13.lan>