Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #17489
| Path | csiph.com!weretis.net!feeder8.news.weretis.net!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod |
|---|---|
| From | "Pieter Lenaerts" <plenae@disroot.org> |
| Newsgroups | linux.debian.bugs.dist, linux.debian.maint.python |
| Subject | Bug#1135779: beets: CVE-2026-42052 |
| Date | Sat, 09 May 2026 15:20:01 +0200 |
| Message-ID | <MSPL3-3Rhp-1@gated-at.bofh.it> (permalink) |
| References | <MRuyZ-2R16-13@gated-at.bofh.it> <MRCGd-2WFa-7@gated-at.bofh.it> <MRuyZ-2R16-13@gated-at.bofh.it> <MRDiV-2WTi-1@gated-at.bofh.it> <MRuyZ-2R16-13@gated-at.bofh.it> <MRDiV-2WTi-1@gated-at.bofh.it> |
| X-Original-To | "Salvatore Bonaccorso" <carnil@debian.org>, <1135779@bugs.debian.org>, <debian-python@lists.debian.org> |
| X-Mailbox-Line | From debian-bugs-dist-request@lists.debian.org Sat May 9 13:13:08 2026 |
| Old-Return-Path | <debbugs@buxtehude.debian.org> |
| X-Spam-Flag | NO |
| X-Spam-Score | -1.451 |
| Reply-To | "Pieter Lenaerts" <plenae@disroot.org>, 1135779@bugs.debian.org |
| Resent-To | debian-bugs-dist@lists.debian.org |
| Resent-Cc | team+python@tracker.debian.org |
| X-Debian-Pr-Message | followup 1135779 |
| X-Debian-Pr-Package | src:beets |
| X-Debian-Pr-Keywords | security upstream |
| X-Debian-Pr-Source | beets |
| MIME-Version | 1.0 |
| Content-Type | multipart/signed; boundary=4b926edb69896b8292bf1239d2e36539e20055eadf6dfba9da74801960c6; micalg=pgp-sha512; protocol="application/pgp-signature" |
| X-Debian-Message | from BTS |
| X-Mailing-List | <debian-bugs-dist@lists.debian.org> archive/latest/1968754 |
| List-ID | <debian-bugs-dist.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-bugs-dist/> |
| Approved | robomod@news.nic.it |
| Lines | 48 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | <team@security.debian.org>, "Salvatore Bonaccorso" <salvatore.bonaccorso@gmail.com> |
| X-Original-Date | Sat, 09 May 2026 15:11:02 +0200 |
| X-Original-Message-ID | <DIE66B25P8Z1.3MDKCUYKKE7WB@disroot.org> |
| X-Original-References | <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <DIBBVACLG9BQ.DDK8Q7ZZHY4E@disroot.org> <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <afrV8pPiqwfdXDCD@eldamar.lan> <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <afrV8pPiqwfdXDCD@eldamar.lan> |
| Xref | csiph.com linux.debian.bugs.dist:1292932 linux.debian.maint.python:17489 |
Cross-posted to 2 groups.
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
On Wed May 6, 2026 at 7:47 AM CEST, Salvatore Bonaccorso wrote: Hi Salvatore & python team, > [...] just uploading the fixing version to > unstable is good. I'm looking into getting the update to unstable. There are some dependency issues. > For stable and oldstable I believe it does not need > a security update, we will mark it no-dsa in the security tracker. If > you mean to fix it in stable and olstable doing it via a upcoming > point release would be sufficient. I have now pushed my proposition for a trixie update to https://salsa.debian.org/python-team/packages/beets/-/tree/debian/stable/ I backported the patch and added a test to check for unsafe input fields in the template. 1. Can someone in the python team review my proposed fix? 2. Should this then become a stable update, following that process? If yes I will open a stable update bug. Thanks for giving me directions, Pieter
Back to linux.debian.maint.python | Previous | Next | Find similar
Bug#1135779: beets: CVE-2026-42052 "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-09 15:20 +0200
csiph-web