Your message dated Sat, 23 May 2026 13:47:18 +0000
with message-id <[email protected]>
and subject line Bug#1135779: fixed in beets 1.6.0-4+deb12u1
has caused the Debian Bug report #1135779,
regarding beets: CVE-2026-42052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: beets
Version: 2.8.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for beets.
CVE-2026-42052[0]:
| Beets is the media library management system. Prior to version
| 2.10.0, the bundled web UI uses Underscore template interpolation
| mode <%= ... %> for untrusted metadata fields. In this runtime, <%=
| ... %> is raw insertion and HTML escaping is only performed by <%-
| ... %>. Rendered output is then inserted with .html(...), allowing
| attacker-controlled markup to become active DOM. This issue has been
| patched in version 2.10.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42052
https://www.cve.org/CVERecord?id=CVE-2026-42052
[1] https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: beets
Source-Version: 1.6.0-4+deb12u1
Done: Pieter Lenaerts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
beets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pieter Lenaerts <[email protected]> (supplier of updated beets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 11:35:26 +0000
Source: beets
Built-For-Profiles: noudeb
Architecture: source
Version: 1.6.0-4+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Pieter Lenaerts <[email protected]>
Closes: 1135779
Changes:
beets (1.6.0-4+deb12u1) bookworm; urgency=medium
.
* Add patches fixing CVE-2026-42052 (Closes: #1135779)
* Backport patch to fix a test that thinks 2025 is in the future
Checksums-Sha1:
7ba39759fad35f5979d35401051bb7a90a714186 2627 beets_1.6.0-4+deb12u1.dsc
ebe408f99d4178941d73b46c58e97138c0bf5b57 14384
beets_1.6.0-4+deb12u1.debian.tar.xz
2c1b75fa1be46399bb53fcb7862a90feea968018 9858
beets_1.6.0-4+deb12u1_source.buildinfo
Checksums-Sha256:
70788e2889d1a370dd59d8d21c7ff7dbbaa2766eeedd35e6b7197a6945dd7a5e 2627
beets_1.6.0-4+deb12u1.dsc
b09ccd15e9baeff912ff41f8041a322ad8c72a3a2d4932c109379f4ee8f526a3 14384
beets_1.6.0-4+deb12u1.debian.tar.xz
ee7d47aebfab3fa9248f8e211797649912f8c19efafae66b5bad6f732b741138 9858
beets_1.6.0-4+deb12u1_source.buildinfo
Files:
92a125bc304b9a893d6c29728045deb9 2627 sound optional beets_1.6.0-4+deb12u1.dsc
dcfb448ebb7149b82302db5d1116cd1d 14384 sound optional
beets_1.6.0-4+deb12u1.debian.tar.xz
c4b7158597171efc969e2730cd7f08e3 9858 sound optional
beets_1.6.0-4+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoRkaMACgkQQoMEoXSN
zHqibA//cfT3a+yjGATIir9mWeR8FVGywPrQBP2o8OjEWGy0fEjZAgDoIPigUVoh
vAOvIKx+CDd5Io7OWtMfWjkGMIRdK+R2Q4jgvNZz0khP+kpEWd+qLnwZAP9uxOJz
y4qeYo+QsfV3k8/23kS8Y90FQvkUDXvdI0FwFMN/vRG3LSQaVjKQqLgLaQomKVLw
CNcEAF8qFKn7pC6kZ5cKyO5u7yz0GxUKT1lBdsguU7fmzNweinvYGnKpRb0MHzhj
gqLb5lwpvDpd+aTfpdobKsG5YvbLBK8L7beMnFD65lVBISIySEfZaaQUYeQzEXWK
wlMEGvjDH7piLtijRawci1f9Xof0QkfPVdBrl7SaNH7uvgTmHUKkp5fmnn61iyMk
w8gTeYl4d/j1QXqUyPCZW5F9cw/fU3bW/VmJxBAwXXme/GCptM17iSVNnLAZRfkv
UNo/YilUb+qc+wAW94gcMgy1JET7tWRNETn4qZp4AOVt+xJ2QkqtYRuBsCtLFKIN
3QABI6nVMzhhvL/aysoNvIpD1tAnPAF183aufP4snog93SASf3wuYgocKssLCA5Z
w9f9HxF6W6MMF3QarIx0GhInV+zbwgUXXzSc9pwIghGm0pJ7vVzpuCAjlasLAWcT
Vnw/7RwZGwumwd2ta3T+1WYqTqQl0o6lYapBP3qb+7jSVquXJ/k=
=Sy9W
-----END PGP SIGNATURE-----
pgpTUwZPN5dn4.pgp
Description: PGP signature
--- End Message ---
