Your message dated Sat, 21 Feb 2026 19:48:01 +0000
with message-id <[email protected]>
and subject line Bug#1127925: fixed in pillow 11.1.0-5+deb13u1
has caused the Debian Bug report #1127925,
regarding pillow: CVE-2026-25990
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127925: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127925
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pillow
Version: 11.1.0-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pillow.
CVE-2026-25990[0]:
| Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n
| out-of-bounds write may be triggered when loading a specially
| crafted PSD image. This vulnerability is fixed in 12.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25990
https://www.cve.org/CVERecord?id=CVE-2026-25990
[1]
https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc
[2]
https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pillow
Source-Version: 11.1.0-5+deb13u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pillow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated pillow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Feb 2026 20:20:45 +0100
Source: pillow
Architecture: source
Version: 11.1.0-5+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1127925
Changes:
pillow (11.1.0-5+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-25990 (Closes: #1127925)
Checksums-Sha1:
3da124b3be1b3e5a23d9018fb2677832e069a7c6 2375 pillow_11.1.0-5+deb13u1.dsc
b25ef3157348ceccfda16c563dbd39e52c175db4 36871396 pillow_11.1.0.orig.tar.xz
d2d203249472dcc9b3d146745ea7dcb1a553cb3b 17560
pillow_11.1.0-5+deb13u1.debian.tar.xz
76a4faa0d37000b83b47301be212c5c0cb41f835 13763
pillow_11.1.0-5+deb13u1_amd64.buildinfo
Checksums-Sha256:
e5e21800fc21bce04cec3600e90f1b7629a269e79d41ef77db8489013773ad8c 2375
pillow_11.1.0-5+deb13u1.dsc
0fc52818220b9c2208e635d495f6819826607a352c42d0b9524f51f2b8a1a82a 36871396
pillow_11.1.0.orig.tar.xz
c40afc81a02cc18ac48332ccf55e184f1ad5c5dd44d5fe7e5ec2f183df55cad0 17560
pillow_11.1.0-5+deb13u1.debian.tar.xz
357d9126a50209132615eb5352c158be73040bc4d8a197afc4581bb0262ef40a 13763
pillow_11.1.0-5+deb13u1_amd64.buildinfo
Files:
c195970470b27a970f0c14ca98bb859d 2375 python optional
pillow_11.1.0-5+deb13u1.dsc
503adfed07fe5a5647376ecbab208265 36871396 python optional
pillow_11.1.0.orig.tar.xz
6f04d6542a0e7ec51aa5c118f0ce5e16 17560 python optional
pillow_11.1.0-5+deb13u1.debian.tar.xz
5565e55f5a7eeb1eae4f233c07edf636 13763 python optional
pillow_11.1.0-5+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmmWFpAACgkQEMKTtsN8
TjbamxAAu6+QoaXE9xhcADOcdA0XrRjh+H/VXJLg/Gufvj5xK691tMsMPDUhMKlf
oAYAerJaElHQjyZ5JGWZjm2a9Frl15YLBnPERjkCoNTGCnQA/6MsQovd5dUa8j2/
zJ0yXZf6CYDBQRz/5uKT7F7wF4oS4VG+lLS4/LHxkrZorEQ8BXL206hxn36lGYWs
YqgkanZjmnMo+Desnztf75Y42TPt8C6XWXWCyjbN93gTM1J6S4MKKOfCeM6V8I2p
hkmIpT2kaScgDbeG8CP+N/0uzyqo7eiLKGrzzQp3CWw6znUulOQzsWtg4gHKYz7k
8HoZTSD8e3qf+zr0S6AVtBZwir0aUmk7HOyHtL0yOUlrSvlr+2nBE+V1qhTm83Xr
PG6KAiGLJMMQTNy6FrR1utGezXRiceZBFN8TPJyU1uPWSscFd6pjqTtLd/o8eGOL
b7Eu8vsfg1XgypcQ3UgcUUxFlTuriTMSudLg0f6sVZ5e9Z/bwD7mXf6k1EheUTaV
uKbWyTjg2iW4bTdM/WhwXiyNrrbOukluUuVByvEeeQZqiYKUypkXxX/1tSDZwwDf
aLP+zzxwhLSDa/z88QfRBoq7Lpuvz3wjFkkuMUdlNGq4DkhB9Nv8VJSEwSxqYbNp
1+gZFTqgJ4ieuHLsTDNPYkuhW6j+DOZ0NjSHntDtGyLcHV21uVc=
=s/iB
-----END PGP SIGNATURE-----
pgptxZZOq83l4.pgp
Description: PGP signature
--- End Message ---
