Hi Pieter, On Wed, May 06, 2026 at 07:00:45AM +0200, Pieter Lenaerts wrote: > Thanks. > > I'm assuming, based on nothing but my own judgement, that users don't often > expose their beets library externally using this web UI. Even if they do, this > vulnerability is not very practical for attackers to exploit as they should > poison a library with malicious code in music metadata fields. Or something. > > Therefore, I think this is a low risk vulnerability. > > Upstream reports this is fixed in their commit > https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a > > I will update the package to 2.10 in unstable with DD sponsorship from the > python team. > > I will try to prepare stable updates for bullseye to trixie in branches in > salsa. I will try to backport this commit and provide a test confirming proper > escaping of field input. > > I'm not a DD, so I do not have upload access. I propose I work on the above > and > report on my progress here. I think I will need a couple of days, maybe until > the end of the weekend to propose fixes. > > Please jump in if any of the above does not sound okay.
FWIW, I agree with you, and just uploading the fixing version to unstable is good. For stable and oldstable I believe it does not need a security update, we will mark it no-dsa in the security tracker. If you mean to fix it in stable and olstable doing it via a upcoming point release would be sufficient. Thanks for working on it, Regards, Salvatore
