1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package twitter-bootstrap3/3.4.1+dfsg-3+deb12u1

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Apr 13 11:08:23 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart14828705.uLZWGnKmhe
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org
    Control: affects -1 + src:twitter-bootstrap3
    User: release.debian.org@packages.debian.org
    Usertags: pu


    [ Reason ]
    XSS security problems

    [ Impact ]
    Vulnerability to XSS attack

    [ Tests ]
    No but tested manually using POC.

    [ Risks ]
    Low

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    CVE-2024-6485/CVE-2024-6484

    [ Other info ]
    May need a rebuild of static linked (webpacked/rollup...) package.
    But need first to get in bookworm.

    --nextPart14828705.uLZWGnKmhe
    Content-Disposition: attachment; filename="u1.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="u1.debdiff"

    diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
    --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2022-12-18 00:30:51.000000000 +0100
    +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200
    @@ -1,3 +1,28 @@
    +twitter-bootstrap3 (3.4.1+dfsg-3+deb12u1) bookworm; urgency=medium
    +
    + * Team upload
    + * Fix CVE-2024-6485:
    + A security vulnerability has been discovered in bootstrap
    + that could enable Cross-Site Scripting (XSS) attacks.
    + The vulnerability is associated with the data-loading-text
    + attribute within the button plugin.
    + This vulnerability can be exploited by injecting malicious
    + JavaScript code into the attribute, which would then be
    + executed when the button's loading state is triggered.
    + (Closes: #1084060)
    + * Fix CVE-2024-6484:
    + A vulnerability has been identified in Bootstrap that
    + exposes users to Cross-Site Scripting (XSS) attacks.
    + The issue is present in the carousel component, where the
    + data-slide and data-slide-to attributes can be exploited