Your message dated Thu, 25 Dec 2025 17:54:34 +0000
with message-id <[email protected]>
and subject line Bug#1121540: fixed in spotipy 2.25.2-1
has caused the Debian Bug report #1121540,
regarding spotipy: CVE-2025-66040
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121540
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: spotipy
Version: 2.25.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for spotipy.
CVE-2025-66040[0]:
| Spotipy is a Python library for the Spotify Web API. Prior to
| version 2.25.2, there is a cross-site scripting (XSS) vulnerability
| in the OAuth callback server that allows for JavaScript injection
| through the unsanitized error parameter. Attackers can execute
| arbitrary JavaScript in the user's browser during OAuth
| authentication. This issue has been patched in version 2.25.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66040
https://www.cve.org/CVERecord?id=CVE-2025-66040
[1]
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm
[2]
https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spotipy
Source-Version: 2.25.2-1
Done: Edward Betts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
spotipy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edward Betts <[email protected]> (supplier of updated spotipy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Dec 2025 17:12:20 +0000
Source: spotipy
Architecture: source
Version: 2.25.2-1
Distribution: unstable
Urgency: medium
Maintainer: Home Assistant Team <[email protected]>
Changed-By: Edward Betts <[email protected]>
Closes: 1121540
Changes:
spotipy (2.25.2-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2025-66040 (Closes: #1121540)
* Remove 'Priority: optional', now the default.
* Remove 'Rules-Requires-Root: no', now the default.
* Update Standards-Version.
* Update debian/watch to format version 5.
* Add debian/salsa-ci.yml.
Checksums-Sha1:
afb7185e83b303e2169e88ef02670d70c00301d5 2194 spotipy_2.25.2-1.dsc
54b3e43676a9939d058e2daac8dc156b17290d97 108288 spotipy_2.25.2.orig.tar.gz
fc1cd4ccb6d6e3187c75f2de5e789705af65f391 2512 spotipy_2.25.2-1.debian.tar.xz
ca96d3b5a74e41c18d1343aa769f783505592dee 6567 spotipy_2.25.2-1_source.buildinfo
Checksums-Sha256:
f658d55c0dfad3b95471c81859612959b358ee1b5b7d9128eb8918c7a37a5a16 2194
spotipy_2.25.2-1.dsc
0878ae8a71a13f8956bb1d42ea845e092822de205de11be685b371895e430fdc 108288
spotipy_2.25.2.orig.tar.gz
351ec9302f8e02d01dfdc9fdc44e983cff48895e9c8182c872d138f0a5bf695b 2512
spotipy_2.25.2-1.debian.tar.xz
b145b57bec649fa1f0df7aced00c74ca558ecb65d82e95ae563d73e53baa50fe 6567
spotipy_2.25.2-1_source.buildinfo
Files:
6d487a641eeae60fbccae8d14bc0de85 2194 python optional spotipy_2.25.2-1.dsc
0f4477d40d2ba495324d3cd925bd32db 108288 python optional
spotipy_2.25.2.orig.tar.gz
fd19c9d35533c7473df00001a54457b4 2512 python optional
spotipy_2.25.2-1.debian.tar.xz
b64b5c3e9a92ff2e5a53a35791dba598 6567 python optional
spotipy_2.25.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmlNcX8ACgkQlgWhCYxj
uSqrBxAAq74JhuWsnHOsD8Gnv8cSL8iK3ieOZUHqwHvTFq1vBDni7+2wOLzpLbGP
MVRI7gjJCqsNkYtogBgAIG+yr5CFnjmgUyOeg6sfkt1pW6SMebcNyEfxhVku1OaM
nDATBWQtqllPD0By8gfl9Sv4sQMuH+UZWNFrncMHml+L/sF6epAmGjMLRz+f/T4W
D6ZHcC0JcS4Y6grdv1qEmYFXb6NmROImtw4QZoDX+GZaUEDiqhrW1dJAhPc4dk05
mHuBxNWecAV9Si3XzYWTWvdJVMfTkm6Ix42xR3rZtYyZ7LspGt1X7qHANQqUZ7/I
JLRqhjgjXsWCC3zddE4zE8x6C3vzHpuqm3c+cFsSi08OJ83U783zxYYY3s7GQ7Ff
08Y17hCVz0Ut8Ed1WLUhMsPhWHUS3b58js3xWSNhrOqKkOe/x14d3SYN0LwBrqsM
RSltUSl3DZRsvwKGLvQAq/fj7KE9n8NGegCZWEo3KaEORG3j5gCRLz0O5jv2e901
UHqyYWQbqgc0at4xEHBtVxYXlB1nhULWfq+RGMQVgRVfKP3YOhmuNYI860R+fs78
422lPlozh+YQmyiTxXzeJEYRX1d5v85GTu0n1cvZU0boCyKvG+mcSgwYahFVZjx4
FxRzDC5+U0nyx1cBvEi3xjPWjrJnw5jNdUackWKNKw+hDug0/dg=
=xShD
-----END PGP SIGNATURE-----
pgpQ2S0lqh6py.pgp
Description: PGP signature
--- End Message ---
