Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1293743

Bug#1136681: trixie-pu: package beets/2.2.0-3

Cross-posted to 2 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: beets@packages.debian.org, plenae@disroot.org
Control: affects -1 + src:beets
User: release.debian.org@packages.debian.org
Usertags: pu

Fix CVE-2026-42052 and #1135779

[ Reason ]
CVE is considered low risk, no DSA, and fixable by production update.


[ Impact ]
CVE remains unfixed.

[ Tests ]
Added a test in patch add_unit_test_checking_unsafe_web_ui_input to check the
CVE is fixed.
test/plugins/test_web.py should give assurance against regressions.

[ Risks ]
Regression in web ui plugin, but existing tests should cover this.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable, not uploaded yet.

[ Changes ]
All input fields in the web ui js template are using escaping syntax (<%- %)
instead of the non-escaping syntax (<%= %)

[ Other info ]
I'm not a DD, I won't be uploading myself. I will probably be continuing work
with eamanu who did a first review.

Back to linux.debian.bugs.dist | Previous | Next — Next in thread | Find similar

Thread

Bug#1136681: trixie-pu: package beets/2.2.0-3 Pieter Lenaerts <plenae@disroot.org> - 2026-05-14 21:10 +0200
  Bug#1136681: trixie-pu: package beets/2.2.0-3 Salvatore Bonaccorso <carnil@debian.org> - 2026-05-14 21:20 +0200
    Bug#1136681: trixie-pu: package beets/2.2.0-3 "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-14 21:40 +0200
      Bug#1136681: trixie-pu: package beets/2.2.0-3 "Pieter Lenaerts" <plenae@disroot.org> - 2026-05-15 19:00 +0200

csiph-web