- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Pieter Lenaerts
- Date:
- 2026-05-25 12:37:02 UTC
- Severity:
- normal
- Tags:
Fix CVE-2026-42052 and #1135779 [ Reason ] CVE is considered low risk, no DSA, and fixable by production update. [ Impact ] CVE remains unfixed. [ Tests ] Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the CVE is fixed. test/plugins/test_web.py should give assurance against regressions. [ Risks ] Regression in web ui plugin, but existing tests should cover this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable, not uploaded yet. [ Changes ] All input fields in the web ui js template are using escaping syntax (<%- %) instead of the non-escaping syntax (<%= %) [ Other info ] I'm not a DD, I won't be uploading myself. I will probably be continuing work with eamanu who did a first review.
Hi, Small remark procedure wise (but I'm not authoritatively speakting here, I'm not a SRM): The fix really needs to be first in unstable before a trixie-pu update can be considered. But at this point the beets update might be considered for the 13.6 point release on 11th july (as we missed the window for the next one on 16th may). Regards, Salvatore
On Thu May 14, 2026 at 9:10 PM CEST, Salvatore Bonaccorso wrote: Thanks for your very quick response, Salvatore. unstable. I also forgot to mention that code is in the debian/trixie branch in salsa: https://salsa.debian.org/python-team/packages/beets/-/tree/debian/trixie Best regards, Pieter
Sorry, my debdiff was not created in the right way. This one looks better.
Hi, jcfp has uploaded beets 2.11.0-1 to unstable. This fixes the CVE in unstable. Any other actions I should take before this change can be approved for upload into trixie? Br, Pieter
Hi, Please go ahead. Thanks,
Hi Emmanuel & Jeroen, As you can see we have green light from the stable release team for the beets CVE fix in trixie. Can one of you review and/or upload when you find time? Thanks in advance! Pieter
Done.
package release.debian.org tags 1136681 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: beets Version: 2.2.0-3+deb13u1 Explanation: fix XSS vulnerability [CVE-2026-42052]
package release.debian.org tags 1136681 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: beets Version: 2.2.0-3+deb13u1 Explanation: fix XSS vulnerability [CVE-2026-42052]