- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Pieter Lenaerts
- Date:
- 2026-05-23 13:37:03 UTC
- Severity:
- normal
- Tags:
Fix CVE-2026-42052 and #1135779 [ Reason ] CVE is considered low risk, no DSA, and fixable by production update. [ Impact ] CVE remains unfixed. [ Tests ] Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the CVE is fixed. test/plugins/test_web.py should give assurance against regressions. [ Risks ] Regression in web ui plugin, but existing tests should cover this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] All input fields in the web ui js template are using escaping syntax (<%- %) instead of the non-escaping syntax (<%= %) [ Other info ] I'm not a DD, I won't be uploading myself. I will probably be continuing work with eamanu who did a first review. My fix for unstable is also waiting review/upload.
Sorry, attached faulty debdiff. This is one looks better.
Hi, jcfp has uploaded beets 2.11.0-1 to unstable. This fixes the CVE in unstable. Any other actions I should take before this change can be approved for upload into bookworm? Br, Pieter
Hi, Please go ahead. You will require a sponsor. Thanks,
Hi Emmanuel & Jeroen, You are the DD's helping me out with beets, so I'm bringing this bookworm-pu to your attention. I think all is ready from the stable release team side for an upload. My proposed changes are in https://salsa.debian.org/python-team/packages/beets/-/tree/debian/bookworm?ref_type=heads Thanks in advance for your review and comments or upload! Best regards, Pieter
Uploaded, thanks!
package release.debian.org tags 1136745 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: beets Version: 1.6.0-4+deb12u1 Explanation: fix XSS vulnerability [CVE-2026-42052]; fix FTBFS in tests
package release.debian.org tags 1136745 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: beets Version: 1.6.0-4+deb12u1 Explanation: fix XSS vulnerability [CVE-2026-42052]; fix FTBFS in tests