Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1136681,
regarding trixie-pu: package beets/2.2.0-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136681: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136681
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:beets
User: [email protected]
Usertags: pu
Fix CVE-2026-42052 and #1135779
[ Reason ]
CVE is considered low risk, no DSA, and fixable by production update.
[ Impact ]
CVE remains unfixed.
[ Tests ]
Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the
CVE is fixed.
test/plugins/test_web.py should give assurance against regressions.
[ Risks ]
Regression in web ui plugin, but existing tests should cover this.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable, not uploaded yet.
[ Changes ]
All input fields in the web ui js template are using escaping syntax (<%- %)
instead of the non-escaping syntax (<%= %)
[ Other info ]
I'm not a DD, I won't be uploading myself. I will probably be continuing work
with eamanu who did a first review.
diff -Nru beets-2.2.0/debian/changelog beets-2.2.0/debian/changelog
--- beets-2.2.0/debian/changelog 2025-04-13 23:38:58.000000000 +0200
+++ beets-2.2.0/debian/changelog 2026-05-14 19:51:52.000000000 +0200
@@ -1,3 +1,11 @@
+beets (2.2.0-3+deb13u1) UNRELEASED; urgency=medium
+
+ * Add patch to fix xss vulnerability CVE-2026-42052 in web ui
+ (Closes: #1135779)
+ * Add patch with test for unsafe web ui input
+
+ -- Pieter Lenaerts <[email protected]> Thu, 14 May 2026 19:51:52 +0200
+
beets (2.2.0-3) unstable; urgency=medium
[ Florent 'Skia' Jacquet ]
diff -Nru beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
--- beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
2025-04-13 23:38:58.000000000 +0200
+++ beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
2026-05-14 19:51:52.000000000 +0200
@@ -2,7 +2,7 @@
Date: Sat, 9 May 2026 12:22:05 +0200
Subject: Add unit test checking for unsafe input in web ui
-Forwarded: No
+Forwarded: https://github.com/beetbox/beets/pull/6639
---
test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff -Nru
beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
--- beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
2025-04-13 23:38:58.000000000 +0200
+++ beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
2026-05-14 19:51:52.000000000 +0200
@@ -1,10 +1,10 @@
-From: Pieter Lenaerts <[email protected]>
+From: Šarūnas Nejus https://github.com/snejus
Date: Sat, 9 May 2026 08:04:44 +0200
Subject: Fix XSS by using escaped template tags in web UI
Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
-Origin:
https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
+Bug-Debian: https://bugs.debian.org/1135779
+Origin: backport,
https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
Forwarded: not-needed
---
beetsplug/web/templates/index.html | 28 ++++++++++++++--------------
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---