#1136745 bookworm-pu: package beets/1.6.0-4+deb12u1

#1136745#5
Date:
2026-05-15 16:16:36 UTC
From:
To:
Fix CVE-2026-42052 and #1135779

[ Reason ]
CVE is considered low risk, no DSA, and fixable by production update.

[ Impact ]
CVE remains unfixed.

[ Tests ]
Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the
CVE is fixed.
test/plugins/test_web.py should give assurance against regressions.

[ Risks ]
Regression in web ui plugin, but existing tests should cover this.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
All input fields in the web ui js template are using escaping syntax (<%- %)
instead of the non-escaping syntax (<%= %)

[ Other info ]
I'm not a DD, I won't be uploading myself. I will probably be continuing work
with eamanu who did a first review.

My fix for unstable is also waiting review/upload.

#1136745#12
Date:
2026-05-15 16:45:56 UTC
From:
To:
Sorry, attached faulty debdiff. This is one looks better.
#1136745#19
Date:
2026-05-18 17:51:11 UTC
From:
To:
Hi,

jcfp has uploaded beets 2.11.0-1 to unstable. This fixes the CVE in unstable.

Any other actions I should take before this change can be approved for upload
into bookworm?

Br,

Pieter

#1136745#24
Date:
2026-05-22 21:30:34 UTC
From:
To:
Hi,

Please go ahead. You will require a sponsor.

Thanks,

#1136745#31
Date:
2026-05-23 05:44:25 UTC
From:
To:
Hi Emmanuel & Jeroen,

You are the DD's helping me out with beets, so I'm bringing this bookworm-pu to
your attention.

I think all is ready from the stable release team side for an upload.

My proposed changes are in https://salsa.debian.org/python-team/packages/beets/-/tree/debian/bookworm?ref_type=heads

Thanks in advance for your review and comments or upload!

Best regards,

Pieter

#1136745#36
Date:
2026-05-23 11:44:06 UTC
From:
To:
Uploaded, thanks!
#1136745#41
Date:
2026-05-23 13:35:44 UTC
From:
To:
package release.debian.org
tags 1136745 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: beets
Version: 1.6.0-4+deb12u1

Explanation: fix XSS vulnerability [CVE-2026-42052]; fix FTBFS in tests

#1136745#46
Date:
2026-05-23 13:35:44 UTC
From:
To:
package release.debian.org
tags 1136745 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: beets
Version: 1.6.0-4+deb12u1

Explanation: fix XSS vulnerability [CVE-2026-42052]; fix FTBFS in tests