#1136681 trixie-pu: package beets/2.2.0-3

#1136681#5
Date:
2026-05-14 18:59:14 UTC
From:
To:
Fix CVE-2026-42052 and #1135779

[ Reason ]
CVE is considered low risk, no DSA, and fixable by production update.


[ Impact ]
CVE remains unfixed.

[ Tests ]
Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the
CVE is fixed.
test/plugins/test_web.py should give assurance against regressions.

[ Risks ]
Regression in web ui plugin, but existing tests should cover this.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable, not uploaded yet.

[ Changes ]
All input fields in the web ui js template are using escaping syntax (<%- %)
instead of the non-escaping syntax (<%= %)

[ Other info ]
I'm not a DD, I won't be uploading myself. I will probably be continuing work
with eamanu who did a first review.

#1136681#12
Date:
2026-05-14 19:10:12 UTC
From:
To:
Hi,

Small remark procedure wise (but I'm not authoritatively speakting
here, I'm not a SRM): The fix really needs to be first in unstable
before a trixie-pu update can be considered. But at this point the
beets update might be considered for the 13.6 point release on 11th
july (as we missed the window for the next one on 16th may).

Regards,
Salvatore

#1136681#17
Date:
2026-05-14 19:36:07 UTC
From:
To:
On Thu May 14, 2026 at 9:10 PM CEST, Salvatore Bonaccorso wrote:

Thanks for your very quick response, Salvatore.
unstable.

I also forgot to mention that code is in the debian/trixie branch in salsa:
https://salsa.debian.org/python-team/packages/beets/-/tree/debian/trixie

Best regards,

Pieter

#1136681#22
Date:
2026-05-15 16:48:37 UTC
From:
To:
Sorry, my debdiff was not created in the right way. This one looks better.
#1136681#29
Date:
2026-05-18 17:49:26 UTC
From:
To:
Hi,

jcfp has uploaded beets 2.11.0-1 to unstable. This fixes the CVE in unstable.

Any other actions I should take before this change can be approved for upload
into trixie?

Br,

Pieter

#1136681#34
Date:
2026-05-24 09:13:19 UTC
From:
To:
Hi,

Please go ahead.

Thanks,

#1136681#41
Date:
2026-05-24 12:46:53 UTC
From:
To:
Hi Emmanuel & Jeroen,

As you can see we have green light from the stable release team for the beets
CVE fix in trixie.

Can one of you review and/or upload when you find time?

Thanks in advance!

Pieter

#1136681#46
Date:
2026-05-25 09:23:57 UTC
From:
To:
Done.
#1136681#51
Date:
2026-05-25 12:35:16 UTC
From:
To:
package release.debian.org
tags 1136681 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: beets
Version: 2.2.0-3+deb13u1

Explanation: fix XSS vulnerability [CVE-2026-42052]

#1136681#56
Date:
2026-05-25 12:35:16 UTC
From:
To:
package release.debian.org
tags 1136681 = trixie pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie.

Thanks for your contribution!

Upload details
==============

Package: beets
Version: 2.2.0-3+deb13u1

Explanation: fix XSS vulnerability [CVE-2026-42052]