Your message dated Sat, 16 May 2026 11:30:14 +0000
with message-id <[email protected]>
and subject line Bug#1135779: fixed in beets 2.11.0-1
has caused the Debian Bug report #1135779,
regarding beets: CVE-2026-42052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: beets
Version: 2.8.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for beets.
CVE-2026-42052[0]:
| Beets is the media library management system. Prior to version
| 2.10.0, the bundled web UI uses Underscore template interpolation
| mode <%= ... %> for untrusted metadata fields. In this runtime, <%=
| ... %> is raw insertion and HTML escaping is only performed by <%-
| ... %>. Rendered output is then inserted with .html(...), allowing
| attacker-controlled markup to become active DOM. This issue has been
| patched in version 2.10.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42052
https://www.cve.org/CVERecord?id=CVE-2026-42052
[1] https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: beets
Source-Version: 2.11.0-1
Done: Pieter Lenaerts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
beets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pieter Lenaerts <[email protected]> (supplier of updated beets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 May 2026 08:11:22 +0000
Source: beets
Built-For-Profiles: noudeb
Architecture: source
Version: 2.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Pieter Lenaerts <[email protected]>
Closes: 1135779
Changes:
beets (2.11.0-1) unstable; urgency=medium
.
* New upstream version 2.11.0
* Update deps according to pyproject.toml
* Remove unneeded patches - only test-rsrc remains.
* Add patch adding a test against CVE-2026-42052 (Closes: #1135779)
* Remove unused debian/copyright paragraph ISC
* d/watch: renamed fields with debputy lint --auto-fix (routine-update)
* debian/control:
* Reorder sequence of fields by cme (routine-update)
* Add build-deps python3-factory_boy & python3-accoustid
* Use sphinx 9; python3-mediafile >= 1.3.1
* debian/tests:
* Mirror build-deps to debian/tests/control
* Add very basic cli autopkgtest
* unittests: set full path to resources
* Forwarded patch add_unit_test_checking_unsafe_web_ui_input
* Remove obsolote README.Debian
Checksums-Sha1:
5f0ac3bcf625db0aaf94ccca6476c4e1d32117b6 3956 beets_2.11.0-1.dsc
55a667e878c2dfaedc5b533a47a875e905049caa 2571312 beets_2.11.0.orig.tar.gz
40cf1d691cea4da650d412af4b0c64226566a7ad 13728 beets_2.11.0-1.debian.tar.xz
1ffba12fca708e5421ba3e7fa847b0e71c3098e7 21048 beets_2.11.0-1_source.buildinfo
Checksums-Sha256:
ea1007eeea4814eb2a2914bb05bc44cc3c3004d30e9588bc6af3ff5e5edb6aa4 3956
beets_2.11.0-1.dsc
2e9ee9345b57db15eb5760a836ce59fbd75897c3812d7f5dd45612c7a0a7a377 2571312
beets_2.11.0.orig.tar.gz
f6c5b8f71abf6a1659c1a26ff4cec2b51055ca5f0e65e5b4a1d3411328b9b1ea 13728
beets_2.11.0-1.debian.tar.xz
a81497ccf858c570c1e61d7d4846b71b35e58a13a1d08f7fbba0d907d7d59e03 21048
beets_2.11.0-1_source.buildinfo
Files:
3e1ebe879cf1a8a347b3c179cf187b77 3956 sound - beets_2.11.0-1.dsc
59f745ce3d3c0fa093b9a2579337b6d9 2571312 sound - beets_2.11.0.orig.tar.gz
edeb3a7663ba090dce6ad4e98489f92e 13728 sound - beets_2.11.0-1.debian.tar.xz
f1a0d7e7df7243805f95285b0e30c6a4 21048 sound - beets_2.11.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoIJvEACgkQQoMEoXSN
zHqbxBAAk4kNTywUHOhYtXT7j6lJC5YmC4Lk37McKweqGl4oXsAjjLbPAIgFVRx9
KYtCT0AfS4H/J/Oe1U+drPx36uUyVdc8v76wpz78kR2GRaoFb170ln0uW5Q8aRxt
Ey8Sqg4QCfrNdjwtIepVaFZG//niyYBjBciRO3XoTsHnNsG75lu2p5SDlUSbmYtY
LgF3i7izP/6mFltEf2TNsY03SuZh5gk4hYEsvGSxy+2iHw12YgKt2is81Jnf2urc
D/Xv4mP52xuftTf/MWO7hMZTYWlG2oVjneq2D/aHM+iobfcTAaGVCDwSHspV8MHW
pA0dtU+C/wDW426guewllw68HmyTmnabSzGYIgtPnZu5F2XsZn2rvmX6xkmnAOiz
F8Ps8A7cfSs7BAP+HpT/FJWFZxvEZIzNopbPfRJOLfNAaxkhA3IBY7QOm8c3kVtb
NRgaRfYAq8oq3Y5vtWcd65bgBWpN3GcX8Nbj/M3X2spZDWZEY/GcR2hFYmUXHaiF
34g7LriVmqxnQc5LODIQYWKIgFInWPUYTr17WREvXMtYibCZA12CTAVFBVuchKZN
9PhlMbQmpF6jNFx2wGfhsmHWd41B5w1fU8DpVibHGXvnHD0z/g+/YVWhplzucPun
ZVKFgdn2DFwFmxKzhqftTXyYFBbHu8k768vPiN2R+TaO/PEet+E=
=FW9P
-----END PGP SIGNATURE-----
pgpzwJlbBGXrn.pgp
Description: PGP signature
--- End Message ---
