Path: csiph.com!weretis.net!feeder8.news.weretis.net!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod
From: "Pieter Lenaerts" <plenae@disroot.org>
Newsgroups: linux.debian.bugs.dist,linux.debian.maint.python
Subject: Bug#1135779: beets: CVE-2026-42052
Date: Sat, 09 May 2026 15:20:01 +0200
Message-ID: <MSPL3-3Rhp-1@gated-at.bofh.it>
References: <MRuyZ-2R16-13@gated-at.bofh.it> <MRCGd-2WFa-7@gated-at.bofh.it> <MRuyZ-2R16-13@gated-at.bofh.it> <MRDiV-2WTi-1@gated-at.bofh.it> <MRuyZ-2R16-13@gated-at.bofh.it> <MRDiV-2WTi-1@gated-at.bofh.it>
X-Original-To: "Salvatore Bonaccorso" <carnil@debian.org>, <1135779@bugs.debian.org>, <debian-python@lists.debian.org>
X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org  Sat May  9 13:13:08 2026
Old-Return-Path: <debbugs@buxtehude.debian.org>
X-Spam-Flag: NO
X-Spam-Score: -1.451
Reply-To: "Pieter Lenaerts" <plenae@disroot.org>, 1135779@bugs.debian.org
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: team+python@tracker.debian.org
X-Debian-Pr-Message: followup 1135779
X-Debian-Pr-Package: src:beets
X-Debian-Pr-Keywords: security upstream
X-Debian-Pr-Source: beets
MIME-Version: 1.0
Content-Type: multipart/signed; boundary=4b926edb69896b8292bf1239d2e36539e20055eadf6dfba9da74801960c6; micalg=pgp-sha512; protocol="application/pgp-signature"
X-Debian-Message: from BTS
X-Mailing-List: <debian-bugs-dist@lists.debian.org> archive/latest/1968754
List-ID: <debian-bugs-dist.lists.debian.org>
List-URL: <https://lists.debian.org/debian-bugs-dist/>
Approved: robomod@news.nic.it
Lines: 48
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: <team@security.debian.org>, "Salvatore Bonaccorso" <salvatore.bonaccorso@gmail.com>
X-Original-Date: Sat, 09 May 2026 15:11:02 +0200
X-Original-Message-ID: <DIE66B25P8Z1.3MDKCUYKKE7WB@disroot.org>
X-Original-References: <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <DIBBVACLG9BQ.DDK8Q7ZZHY4E@disroot.org> <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <afrV8pPiqwfdXDCD@eldamar.lan> <177801237027.141056.6673010442190432376.reportbug@eldamar.lan> <afrV8pPiqwfdXDCD@eldamar.lan>
Xref: csiph.com linux.debian.bugs.dist:1292932 linux.debian.maint.python:17489

--4b926edb69896b8292bf1239d2e36539e20055eadf6dfba9da74801960c6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8

On Wed May 6, 2026 at 7:47 AM CEST, Salvatore Bonaccorso wrote:

Hi Salvatore & python team,


> [...] just uploading the fixing version to
> unstable is good.

I'm looking into getting the update to unstable. There are some dependency
issues.

> For stable and oldstable I believe it does not need
> a security update, we will mark it no-dsa in the security tracker. If
> you mean to fix it in stable and olstable doing it via a upcoming
> point release would be sufficient.

I have now pushed my proposition for a trixie update to
https://salsa.debian.org/python-team/packages/beets/-/tree/debian/stable/

I backported the patch and added a test to check for unsafe input fields in=
 the
template.

1. Can someone in the python team review my proposed fix?
2. Should this then become a stable update, following that process? If yes =
I
will open a stable update bug.

Thanks for giving me directions,

Pieter

--4b926edb69896b8292bf1239d2e36539e20055eadf6dfba9da74801960c6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIkEABYKADEWIQQrLg4/tS9aUxZMq8oFuPKwcqDg6wUCaf8yaBMccGxlbmFlQGRp
c3Jvb3Qub3JnAAoJEAW48rByoODrx9UBAPz3ksy/XfOXBOR0pB4FCi9SE3Z7QC09
GzxbUiqMS9f4AP0VxaSO8aJKLvNjk21NXwOZUs3Mii59N/7bBQIdvJdMDQ==
=/9HW
-----END PGP SIGNATURE-----

--4b926edb69896b8292bf1239d2e36539e20055eadf6dfba9da74801960c6--