Hi, On Thu, May 14, 2026 at 08:59:14PM +0200, Pieter Lenaerts wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:beets > User: [email protected] > Usertags: pu > > Fix CVE-2026-42052 and #1135779 > > [ Reason ] > CVE is considered low risk, no DSA, and fixable by production update. > > > [ Impact ] > CVE remains unfixed. > > [ Tests ] > Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the > CVE is fixed. > test/plugins/test_web.py should give assurance against regressions. > > [ Risks ] > Regression in web ui plugin, but existing tests should cover this. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable, not uploaded yet.
Small remark procedure wise (but I'm not authoritatively speakting here, I'm not a SRM): The fix really needs to be first in unstable before a trixie-pu update can be considered. But at this point the beets update might be considered for the 13.6 point release on 11th july (as we missed the window for the next one on 16th may). Regards, Salvatore
