#1137466 trixie-pu: package calibre/8.5.0+ds-1+deb13u4

#1137466#5
Date:
2026-05-24 06:41:38 UTC
From:
To:
[ Reason ]

Fix these CVEs.
CVE-2026-30853: Path Traversal Leading to Arbitrary File Write
CVE-2026-33205: Server-Side Request Forgery in ebook viewer backend
CVE-2026-33206: Path traversal allows reading arbitrary files when converting a
text-based file

[ Impact ]
CVEs (max severity: 8.2/10) are unfixed.

[ Tests ]
Automated build-time test was successful.

[ Risks ]
Not well tested on trixie machine.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* Fix for CVE-2026-30853
* Fix for CVE-2026-33205
* Fix for CVE-2026-33206

[ Other info ]
deb13u3 fix is not confirmed by release team yet.
So, please confirm deb13u3 fix first.
https://github.com/debian-
calibre/calibre/compare/15e9d5649d1ff27e8bbd033309546080c0b8797c...debian/trixie