Your message dated Tue, 17 Feb 2026 21:44:32 +0100
with message-id <[email protected]>
and subject line Re: Accepted pillow 12.1.1-1 (source) into unstable
has caused the Debian Bug report #1127925,
regarding pillow: CVE-2026-25990
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pillow
Version: 11.1.0-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pillow.
CVE-2026-25990[0]:
| Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n
| out-of-bounds write may be triggered when loading a specially
| crafted PSD image. This vulnerability is fixed in 12.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25990
https://www.cve.org/CVERecord?id=CVE-2026-25990
[1]
https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc
[2]
https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pillow
Source-Version: 12.1.1-1
Hi,
This update fixes CVE-2026-25990, reported as #1127925 but the update
did not close the bug. So doing manually.
Regards,
Salvatore
On Mon, Feb 16, 2026 at 10:19:13AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 16 Feb 2026 10:55:44 +0100
> Source: pillow
> Architecture: source
> Version: 12.1.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Matthias Klose <[email protected]>
> Changed-By: Matthias Klose <[email protected]>
> Changes:
> pillow (12.1.1-1) unstable; urgency=medium
> .
> * New upstream version.
> Checksums-Sha1:
> 0ab1748f8c8411d1451afecd8c2ee7be0f4acf3e 2399 pillow_12.1.1-1.dsc
> 039abb80f6853075c63b258e31e3ea251e3fdc8b 37219516 pillow_12.1.1.orig.tar.xz
> e3d27b13982d4ea5505664fe0e11a862b1cc8886 17172 pillow_12.1.1-1.debian.tar.xz
> 869320288e970c5d915ae7a401d067944a2f578d 11301
> pillow_12.1.1-1_source.buildinfo
> Checksums-Sha256:
> aa018436a99568ec9d42a5d067cf43c4c2eed4b492618635904ff73dcd832175 2399
> pillow_12.1.1-1.dsc
> bc71efe57b256dece7d2a53d4f3242ddb577d58b0939c331dc35cb72dbe37909 37219516
> pillow_12.1.1.orig.tar.xz
> 387a53a4be519ecb10b24a3d337c4df34476032edaab22cbdb0b05dc92a52ac1 17172
> pillow_12.1.1-1.debian.tar.xz
> 333e988bd3f0c9db57e016ca22a98c60678a2060234c1d0fae5b6d25eb2e8e57 11301
> pillow_12.1.1-1_source.buildinfo
> Files:
> 764ef43ff53f341208cabac5cb60313f 2399 python optional pillow_12.1.1-1.dsc
> e673e30777a3d9e68b8cc191e72da640 37219516 python optional
> pillow_12.1.1.orig.tar.xz
> 1144e38b507dce20132a106b7e8c5eab 17172 python optional
> pillow_12.1.1-1.debian.tar.xz
> 7346569bddaa168b00a5b6eeea94ebf2 11301 python optional
> pillow_12.1.1-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmmS6jkQHGRva29AZGVi
> aWFuLm9yZwAKCRC9fqpgd4+m9U/9EADVh4n9hbjBxghkmiD+65g6oSbF/sK9aTXG
> l/xsKaNV3KJko5Ww6bevSEP3fXW8qi5VerB+I3bzNZlsLk3mo0+8v1Ww2lP3qgaw
> i0kmk7hUdLHVar2Un8jg4FOZC1m0LJq3qEj5e0lcn5jE9yu/w5QHYBQ3rVdMFJTZ
> ijwOFEjv6k9sG252e9yZ9glnOpaWd6sDCRotg8eNukZPQ2ZGq7jn8WOJco7F3t6h
> EvDF1ZhplpITnPw/IZt/3tx55a2hX9s+VolWjkkUtu9Le4oSwxu7VnTMf/ZeD/Qj
> LBKyEf6saV0mFLhtwSOsq1GS69heItaYiTsZVoiDishZjpPkbp81gSQNTC64eONM
> nZ0cjwTewQq+TCEU8IovvVjp6Cqz5qix/cHASwUwzxEBffCJHtsJc8PFiswyzGL7
> 7OzhbOjTQfIQuu4dWRetNNq7no8apUnVoqZqQVyIGqS6NHT1Wuu59oZTFO63gF54
> NI2hX+zYk+OdhD9cazzfSUBwK20E/n+mLIusH41Mh58wK/nodKhfT5C2+xq2rcv8
> UE8Kg+7wbjdmwipM6UJDo13OJ/M6XSO42ZIC901ec4KX661ZxIvIX7owaEkEKDrW
> tNUARnddnoy7kqGdicU1FvJ6EpB0n4fmzRWavxJ7gcq9MdLBwECXMC50C8stRCdC
> Z4DgxMW12g==
> =wc/d
> -----END PGP SIGNATURE-----
>
--- End Message ---
