Your message dated Sun, 24 May 2026 08:35:24 +0000
with message-id <[email protected]>
and subject line Bug#1136161: fixed in calibre 6.13.0+repack-2+deb12u7
has caused the Debian Bug report #1136161,
regarding calibre: upstream 9.8 contains unannounced security fixes; please
review affected Debian versions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136161
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: calibre
Severity: important
Tags: security upstream
Dear Maintainer,
I would like to report that upstream calibre contains a public commit titled
"Fix security vulnerabilities and code quality issues":
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
The commit date is Tue, 21 Apr 2026. The commit message explicitly lists
multiple security-related fixes, including:
High severity:
- Fix typo normapth -> normpath in srv/content.py (broken endpoint)
- Replace eval() with ast.literal_eval() in catalogs/epub_mobi.py
- Log exceptions in FunctionDispatcher.dispatch instead of swallowing
Medium severity:
- Add path traversal protection to DirContainer read/write/exists
- Fix XPath injection in comments_editor.py merge_contiguous_links
- Use parameterized SQL queries in database2.py library_id setter
- Add safety comment to pickle_loads in utils/serialize.py
However, these fixes do not appear to be mentioned in the upstream calibre
9.8 release notes:
https://calibre-ebook.com/whats-new
The 9.8 release notes list new features and ordinary bug fixes, but I do not
see these security-related fixes or CVE references mentioned there.
Debian unstable currently has calibre 9.8.0+ds+~0.10.5-1, which appears likely
to include the upstream fixes. However, Debian testing/stable/backports may
still contain older versions, so I think this should be reviewed for Debian
security tracking and possible backports.
Please could you check whether the issues fixed by the upstream commit affect
the Debian-packaged versions, especially testing/stable/backports, and whether
they should receive CVE/security-tracker entries or Debian security updates?
I am not including exploit details; the concern is based on the public upstream
commit message and the absence of corresponding release-note/security-tracker
visibility.
Relevant upstream commit:
https://github.com/kovidgoyal/calibre/commit/b0c4ba19686232d5bff99d58ce6019546ef4d166
Upstream 9.8 release notes:
https://calibre-ebook.com/whats-new
Debian package tracker:
https://tracker.debian.org/pkg/calibre
--- End Message ---
--- Begin Message ---
Source: calibre
Source-Version: 6.13.0+repack-2+deb12u7
Done: YOKOTA Hiroshi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
calibre, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
YOKOTA Hiroshi <[email protected]> (supplier of updated calibre package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 May 2026 17:03:19 +0900
Source: calibre
Architecture: source
Version: 6.13.0+repack-2+deb12u7
Distribution: bookworm
Urgency: medium
Maintainer: Calibre maintainer team <[email protected]>
Changed-By: YOKOTA Hiroshi <[email protected]>
Closes: 1136161
Changes:
calibre (6.13.0+repack-2+deb12u7) bookworm; urgency=medium
.
* Fix security vulnerabilities and code quality issues (Closes: #1136161)
Checksums-Sha1:
ecb470145c618218704e3bf734bb97901fc7ba77 4418
calibre_6.13.0+repack-2+deb12u7.dsc
b046a20d1574b78b7d2b9d95bedbe53bba114d47 132856
calibre_6.13.0+repack-2+deb12u7.debian.tar.xz
d3c2bdabc272ea9b8819b70effb3ac4c7fd5bc8a 17793
calibre_6.13.0+repack-2+deb12u7_source.buildinfo
Checksums-Sha256:
d94ab68ff94554e932b1b3fecf815a50c00f98d436ea93d6d8eae8bdb2562f07 4418
calibre_6.13.0+repack-2+deb12u7.dsc
adbb6ccc53350a0c3774a848c599344a5ace66f245739d16079f5a684e8f7157 132856
calibre_6.13.0+repack-2+deb12u7.debian.tar.xz
0e2e84225d2fe01097d9dce886d484025b48dd9746a2991010bba62ffe916819 17793
calibre_6.13.0+repack-2+deb12u7_source.buildinfo
Files:
c4849c55f60571669592b04cc4831217 4418 text optional
calibre_6.13.0+repack-2+deb12u7.dsc
0d94f596708268afd58fafb5cf1b9407 132856 text optional
calibre_6.13.0+repack-2+deb12u7.debian.tar.xz
1ac9ec366ffa8c73f8cbfe8e5039caf8 17793 text optional
calibre_6.13.0+repack-2+deb12u7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEErjlfKHqxT11VFyPEqem2T5LebcoFAmoSGaAWHHlva290YS5o
Z21sQGdtYWlsLmNvbQAKCRCp6bZPkt5tykAcEACgVdOX/ofyxTZwK29ek/UWGez/
hlCWHhxf7uf+tPx6smHvnC2JLcj7m11OqtFFs+yRTxMfRB1yn6wOUq6le5xBrvth
IU09/LxjOglnCNkldm2FVAV7pLa5CDsIw6IvfbKk5Szr/pwzY2yDveTaWytZuUrB
Vw4FX2ppmAeS20R1E4ZH7sGo2e23KRXOxwZsO6q6sYu4viQsxdnmSayRzhLhJEJ/
FBxIyQ0LTbqIZVyasY9j/eak1v1J8SG4rqy5Q1eFgFG0cVEBVan0VGIhexJEav03
CNsePObq5fcLhdIutYxzKFzQtwqmCWXb6gkcTcZMBLdPAbKJKYHFvCnF4BHtZ1Vx
+MtIBm+o2drFwmjrtM9hm8AcUX3bu8i21n8P92Qrj16WHf5N6Iq+6RMiicA48Jwn
X5ukipkwTYVvBK7M90qPgeCXlyVWlO7tz1K8ch9xFpJ1fG1Kv41NmQ+HfmgCz7jR
d4Ihju1c7Os+Amf/3BdhzciBPD32BDfDYuLbAhjNg3HrsoOfF/4ftlW6MT5QeeYD
lXXjPwz2rwNdpMO0qeTElVoQmGTy1SzephME/+OG4pELWneFVEtdQYj/Wy0NlwOG
dx3NQk9A48Lw6y0qWEIxqmcqYe/IDaoxEdqj6uB1Sz4PQmaY8dVN/NmABankXPAX
rXqejgI0f1pgAXQIUQ==
=SAu0
-----END PGP SIGNATURE-----
pgplElpDhoGs5.pgp
Description: PGP signature
--- End Message ---
