Your message dated Mon, 25 May 2026 12:47:05 +0000
with message-id <[email protected]>
and subject line Bug#1135779: fixed in beets 2.2.0-3+deb13u1
has caused the Debian Bug report #1135779,
regarding beets: CVE-2026-42052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: beets
Version: 2.8.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for beets.
CVE-2026-42052[0]:
| Beets is the media library management system. Prior to version
| 2.10.0, the bundled web UI uses Underscore template interpolation
| mode <%= ... %> for untrusted metadata fields. In this runtime, <%=
| ... %> is raw insertion and HTML escaping is only performed by <%-
| ... %>. Rendered output is then inserted with .html(...), allowing
| attacker-controlled markup to become active DOM. This issue has been
| patched in version 2.10.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42052
https://www.cve.org/CVERecord?id=CVE-2026-42052
[1] https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: beets
Source-Version: 2.2.0-3+deb13u1
Done: Pieter Lenaerts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
beets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pieter Lenaerts <[email protected]> (supplier of updated beets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 09:10:59 +0000
Source: beets
Built-For-Profiles: noudeb
Architecture: source
Version: 2.2.0-3+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Pieter Lenaerts <[email protected]>
Closes: 1135779
Changes:
beets (2.2.0-3+deb13u1) trixie; urgency=medium
.
* Add patch to fix xss vulnerability CVE-2026-42052 in web ui
(Closes: #1135779)
* Add patch with test for unsafe web ui input
Checksums-Sha1:
485ff08ef3179eed8021cef56c603d256cb6ffe5 2995 beets_2.2.0-3+deb13u1.dsc
9267665bfea2d1cc56969d53623e5505cb77066a 14824
beets_2.2.0-3+deb13u1.debian.tar.xz
6dd9203b8ef54d107be3bbd5a3d0c5828c99fd41 9866
beets_2.2.0-3+deb13u1_source.buildinfo
Checksums-Sha256:
b6cb0dbdbaf19c9dfceed1a55bd12b2d4118ae653c7ddf8cf42e97ca08e7d80a 2995
beets_2.2.0-3+deb13u1.dsc
e0d80bc3bf3a96cb4c74f64b075ed41a8543cb7b5dbf51ee6021fa1940f74714 14824
beets_2.2.0-3+deb13u1.debian.tar.xz
5c71972ffa8abab0434bd98a603dc7c20af4bd8759a4b6ef6e82af62f4e342ba 9866
beets_2.2.0-3+deb13u1_source.buildinfo
Files:
43eb9b632cf8080e9ab6b96901e9cfc7 2995 sound optional beets_2.2.0-3+deb13u1.dsc
539cc5deb5eab2021ba78954c4e5b8c0 14824 sound optional
beets_2.2.0-3+deb13u1.debian.tar.xz
dc9b805c3cb7d84f821848e13fe427bd 9866 sound optional
beets_2.2.0-3+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmoUEnUACgkQQoMEoXSN
zHplfA//Y9z+OEYso1kt9NL2Cm4C0P1OnfUDXSBlAnNYjbrDZSnOr25yXxkk0ipC
oTZh8GxnWmTGv4T7V4LZV3kp4RmQbyLYRted7UnNac8IxwfgacT+E2BnshsMbEsJ
Mtji+NBR5sf+LObT2uEee6rn6HBZh1WZs/ZQG9Zt6Q1urP1lUBpVkWR7YRh0qP+V
MUeoN0ZHlSkn4vaysJee0o49d7jg1HGOA+Tm8ZrmFmnPB5MzlM+gmKPshokUCqDU
bXEyQ6HHvrtGKlCsv6Pdfw0GHcJVpZfidC9LFdMUgcJHgB1JC1fPkvUfmhRHioGr
ajf6vj+zWh6o1dekHbl+6f5hBfpj1vyjzKrNx+t6bSUyafkGUF90xJBs0e+hz1YQ
XRsCyu6/uJj7K6moHDsL1PIIo6uYIy1fe7kKx7G2cXYSXsRnLBBDTeiD48dI1pR+
+KQcF/g1LwutJTeFWUAd7o+1BJPWLRsqj4p3zOpZREbT+xyiGdAJouU7IQBmlSRC
8N7YkIB4mnp7CDvAofmZXAz5jfMeNVS+xj8ikPpy18//WBQZKszTQHWs6Bf8XR5H
AaAfbmO2TwtXYmUcdswOH51txFso1VSM8SZmV3VDhnSOV40P+16rQTofQoUNGd/C
9SM2n0zM6OLSbEQvQf/09u6bLlerpIu4ZH4Pxe4YrCJ/V/CXihg=
=H0i9
-----END PGP SIGNATURE-----
pgpJLb5tLjWQ0.pgp
Description: PGP signature
--- End Message ---
