beets - Debian Package Tracker

general

source: beets (main)
version: 2.8.0-1
maintainer: Debian Python Team (DMD)
uploaders: Ryan Kavanagh [DMD] – Pieter Lenaerts [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.4.9-7
oldstable: 1.6.0-4
stable: 2.2.0-3
testing: 2.8.0-1
unstable: 2.8.0-1

versioned links

1.4.9-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.2.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

beets (2 bugs: 0, 2, 0, 0)
beets-doc

action needed

Marked for autoremoval on 08 June due to starlette: #1134850 high

Version 2.8.0-1 of beets is marked for autoremoval from testing on Mon 08 Jun 2026. It depends (transitively) on starlette, affected by #1134850. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-05-02 Last update: 2026-05-13 09:03

A new upstream version is available: 2.11.0 high

A new upstream version 2.11.0 is available, you should consider packaging it.

Created: 2026-04-11 Last update: 2026-05-13 04:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-42052: Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

Created: 2026-05-05 Last update: 2026-05-11 20:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-42052: Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

Created: 2026-05-05 Last update: 2026-05-11 20:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-42052: Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

Created: 2026-05-05 Last update: 2026-05-11 20:30

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-05-04 Last update: 2026-05-13 06:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.11.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 0c67dd07cfebd48a94dded86e3992611996ac194
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 17:49:13 2026 +0200

    Update changelog

commit debbcf37d7d395838ae4ed1e22f788dbd054d9d4
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 17:33:03 2026 +0200

    Add patch to add test to verify CVE-2026-42052 is not present

commit 2d2474a0eac16777d7f8b34f17d31e48fcb77044
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 17:21:21 2026 +0200

    Fix dependencies for debian/tests; split off basic-cli-test deps

commit 6e2aa869ca9187ffc7198c6fe4c69f83cef287fe
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 16:53:39 2026 +0200

    Rename illegal-runtime-test-name to d/t/basic-cli-functions

commit 147e403cfbc19dd7390fbc35dae7c2785acb2def
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 07:17:42 2026 +0200

    Mirror dep changes to d/t/control

commit 75287097cdc70b322ef3ad64fba0f6540cdc208d
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon May 11 07:02:12 2026 +0200

    Disabled librosa build-dep & suggests due to broken numba-numpy version requirements

commit e6a5d65bb0e4c8be39d2edfc65fc619615662692
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Sat May 9 06:45:54 2026 +0200

    debian/control: Add build-dep factory_boy and use sphinx 9

commit d2feb25a4158984a77d853835bae5949bf8c2c95
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Fri May 8 08:04:27 2026 +0200

    debputy lint --auto-fix (routine-update)

commit e7af2ac363e1b8f339a62e0e7890c6bd1f61f9d5
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Fri May 8 08:04:20 2026 +0200

    Reorder sequence of d/control fields by cme (routine-update)

commit fb9a40d0936cda7097d73f12a139dd3d8403c8ac
Merge: fa80210 f66ff60
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Fri May 8 07:48:25 2026 +0200

    Update upstream source from tag 'upstream/2.11.0'
    
    Update to upstream version '2.11.0'
    with Debian dir 1c8d79535f327d0389b52fe17d539362ec3f568a

commit fa802108f1982cbcd39757ef20031772a760ef94
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Fri May 8 07:48:17 2026 +0200

    New upstream version

commit f66ff60f457281ac132eff8a1147ec5e62e09757
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Fri May 8 07:48:17 2026 +0200

    New upstream version 2.11.0

commit f46f5410a96d02af3853ad53ffb6c3c54ec3d799
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Sat Apr 25 11:08:01 2026 +0200

    Add arch restrictions to python3-resampy and mirror to autopkgtest control

commit bfd4faefd1d181dd83c9209b3437bd3d9b0bd2d6
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Sat Apr 25 10:35:30 2026 +0200

    Add autopkgtest, mark librosa for right architectures

commit c8e9839e596ab888473523a93c8318f51c0d6842
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Wed Apr 15 10:14:12 2026 +0200

    Ready for release to unstable

commit 3952372c94dde294b54a64a8e587449ed8dfca5d
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Wed Apr 15 10:11:46 2026 +0200

    Remove unused copyright paragraph ISC

commit 7d14a1854e6cb73d957dde46f5f4b7c026dc2c46
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Wed Apr 15 09:52:04 2026 +0200

    Mirror build dep updates to d/t/control

commit dd6a1a46ece2ebb7c38ab630988e873ffe544d69
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Wed Apr 15 09:29:34 2026 +0200

    Add test-rsrc patch again. Needed in clean test environments.

commit 5493d17cffa1de785cd197c9859ac9e345d57395
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Wed Apr 15 06:30:40 2026 +0200

    Update build-deps & suggests:
    
    New build-deps:
    * librosa, resampy, acoustid
    New suggests: librosa

commit ed7719764b0d437d00c56fea446ee3f00b39f778
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon Apr 13 22:45:25 2026 +0200

    Remove potentially unneeded patches
    
    No patches left

commit 0dfada4627311ddb3685a18b2f2398097ecfa1f4
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon Apr 13 22:40:37 2026 +0200

    Update deps according to pyproject.toml

commit a2514c6367b62f5978b24af7c82a728bde89d5d4
Merge: 84859fd dc18eba
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon Apr 13 22:05:12 2026 +0200

    Update upstream source from tag 'upstream/2.9.0'
    
    Update to upstream version '2.9.0'
    with Debian dir a6ba12fcebf0c2fb4638850ce2211836373aa021

commit dc18ebaf6d273cbeb50f2b404a78169538509dd6
Author: Pieter Lenaerts <plenae@disroot.org>
Date:   Mon Apr 13 22:05:04 2026 +0200

    New upstream version 2.9.0

Created: 2026-04-15 Last update: 2026-05-11 20:01

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-42052: (needs triaging) Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-05 Last update: 2026-05-11 20:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-42052: (needs triaging) Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-05 Last update: 2026-05-11 20:30

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 2.8.0-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-11 21:01

news

[rss feed]

[2026-04-14] beets 2.8.0-1 MIGRATED to testing (Debian testing watch)
[2026-04-11] Accepted beets 2.8.0-1 (source) into unstable (Pieter Lenaerts) (signed by: Jeroen Ploemen)
[2026-03-29] beets 2.7.1-1 MIGRATED to testing (Debian testing watch)
[2026-03-26] Accepted beets 2.7.1-1 (source) into unstable (Pieter Lenaerts) (signed by: Emmanuel Arias)
[2026-03-13] beets 2.6.2-1 MIGRATED to testing (Debian testing watch)
[2026-03-06] Accepted beets 2.6.2-1 (source) into unstable (Pieter Lenaerts) (signed by: Emmanuel Arias)
[2026-02-19] beets 2.5.1-4 MIGRATED to testing (Debian testing watch)
[2026-02-16] Accepted beets 2.5.1-4 (source) into unstable (Emmanuel Arias)
[2026-02-16] Accepted beets 2.5.1-3 (source) into unstable (Pieter Lenaerts) (signed by: Emmanuel Arias)
[2026-01-17] beets 2.5.1-2 MIGRATED to testing (Debian testing watch)
[2026-01-15] Accepted beets 2.5.1-2 (source) into unstable (Alexandre Detiste)
[2026-01-02] beets 2.5.1-1 MIGRATED to testing (Debian testing watch)
[2025-12-30] Accepted beets 2.5.1-1 (source) into unstable (Pieter Lenaerts) (signed by: Tobias Frost)
[2025-04-24] beets 2.2.0-3 MIGRATED to testing (Debian testing watch)
[2025-04-13] Accepted beets 2.2.0-3 (source) into unstable (Stefano Rivera)
[2025-01-01] beets 2.2.0-2 MIGRATED to testing (Debian testing watch)
[2024-12-29] Accepted beets 2.2.0-2 (source) into unstable (Stefano Rivera)
[2024-12-06] beets 2.2.0-1 MIGRATED to testing (Debian testing watch)
[2024-12-03] Accepted beets 2.2.0-1 (source) into unstable (Stefano Rivera)
[2024-11-28] beets 2.1.0-1 MIGRATED to testing (Debian testing watch)
[2024-11-25] Accepted beets 2.1.0-1 (source) into unstable (Stefano Rivera)
[2024-06-08] beets 2.0.0-1 MIGRATED to testing (Debian testing watch)
[2024-06-06] Accepted beets 2.0.0-1 (source) into unstable (Stefano Rivera)
[2024-04-01] beets 1.6.0-9 MIGRATED to testing (Debian testing watch)
[2024-03-28] Accepted beets 1.6.0-9 (source) into unstable (Alexandre Detiste)
[2024-01-15] beets 1.6.0-8 MIGRATED to testing (Debian testing watch)
[2024-01-13] Accepted beets 1.6.0-8 (source) into unstable (Carsten Schoenert)
[2023-11-15] beets 1.6.0-7 MIGRATED to testing (Debian testing watch)
[2023-11-13] Accepted beets 1.6.0-7 (source) into unstable (Stefano Rivera)
[2023-11-12] Accepted beets 1.6.0-6 (source) into unstable (Stefano Rivera)

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.5.1-4