Your message dated Sat, 11 Jul 2026 10:42:30 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1136745,
regarding bookworm-pu: package beets/1.6.0-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136745: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136745
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:beets
User: [email protected]
Usertags: pu

Fix CVE-2026-42052 and #1135779

[ Reason ]
CVE is considered low risk, no DSA, and fixable by production update.

[ Impact ]
CVE remains unfixed.

[ Tests ]
Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the
CVE is fixed.
test/plugins/test_web.py should give assurance against regressions.

[ Risks ]
Regression in web ui plugin, but existing tests should cover this.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable

[ Changes ]
All input fields in the web ui js template are using escaping syntax (<%- %)
instead of the non-escaping syntax (<%= %)

[ Other info ]
I'm not a DD, I won't be uploading myself. I will probably be continuing work
with eamanu who did a first review.

My fix for unstable is also waiting review/upload.
diff -Nru beets-1.6.0/debian/changelog beets-1.6.0/debian/changelog
--- beets-1.6.0/debian/changelog        2023-01-01 19:44:21.000000000 +0100
+++ beets-1.6.0/debian/changelog        2026-05-15 18:02:11.000000000 +0200
@@ -1,3 +1,10 @@
+beets (1.6.0-4+deb12u1) UNRELEASED; urgency=medium
+
+  * Add patches fixing CVE-2026-42052 (Closes: #1135779)
+  * Backport patch to fix a test that thinks 2025 is in the future
+
+ -- Pieter Lenaerts <[email protected]>  Thu, 15 May 2026 18:02:11 +0200
+
 beets (1.6.0-4) unstable; urgency=medium
 
   * Patch: Support mediafile 0.11. (Closes: #1027461, 1027519)
diff -Nru beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 
beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input
--- beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input       
2023-01-01 19:44:21.000000000 +0100
+++ beets-1.6.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input       
2026-05-15 17:56:39.000000000 +0200
@@ -2,7 +2,7 @@
 Date: Sat, 9 May 2026 12:22:05 +0200
 Subject: Add unit test checking for unsafe input in web ui
 
-Forwarded: No
+Forwarded: https://github.com/beetbox/beets/pull/6639
 ---
  test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++
  1 file changed, 84 insertions(+)
diff -Nru 
beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 
beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui
--- beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 
2023-01-01 19:44:21.000000000 +0100
+++ beets-1.6.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 
2026-05-15 17:56:39.000000000 +0200
@@ -1,10 +1,10 @@
-From: Pieter Lenaerts <[email protected]>
+From: Šarūnas Nejus https://github.com/snejus
 Date: Sat, 9 May 2026 08:04:44 +0200
 Subject: Fix XSS by using escaped template tags in web UI
 
 Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
-Origin: 
https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
+Origin: backport, 
https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
 Forwarded: not-needed
 ---
  beetsplug/web/templates/index.html | 28 ++++++++++++++--------------

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to