Your message dated Sun, 13 Apr 2025 12:56:38 +0000
with message-id <e1u3wt4-00fm5h...@fasolo.debian.org>
and subject line Bug#1084059: fixed in twitter-bootstrap4 4.6.1+dfsg1-5
has caused the Debian Bug report #1084059,
regarding twitter-bootstrap4: CVE-2024-6531
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: twitter-bootstrap4
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for twitter-bootstrap4.
CVE-2024-6531[0]:
| A vulnerability has been identified in Bootstrap that exposes users
| to Cross-Site Scripting (XSS) attacks. The issue is present in the
| carousel component, where the data-slide and data-slide-to
| attributes can be exploited through the href attribute of an <a> tag
| due to inadequate sanitization. This vulnerability could potentially
| enable attackers to execute arbitrary JavaScript within the victim's
| browser.
https://www.herodevs.com/vulnerability-directory/cve-2024-6531
But I think the bigger issue is that Bootstrap 3 and 4 are EOLed,
so possibly Debian should move to use 5 instead?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6531
https://www.cve.org/CVERecord?id=CVE-2024-6531
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: twitter-bootstrap4
Source-Version: 4.6.1+dfsg1-5
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
twitter-bootstrap4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated twitter-bootstrap4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Apr 2025 13:42:02 +0200
Source: twitter-bootstrap4
Architecture: source
Version: 4.6.1+dfsg1-5
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1084059
Changes:
twitter-bootstrap4 (4.6.1+dfsg1-5) unstable; urgency=high
.
* Team upload
* Fix CVE-2024-6531 (XSS vulnerability):
An anchor element (<a>), when used for carousel navigation
with a data-slide attribute, can contain an href attribute
value that is not subject to proper content sanitization.
Improper extraction of the intended target carousel’s
#id from the href attribute can lead to use cases where
the click event’s preventDefault()
is not applied and the href is evaluated and executed.
As a result, restrictions are not applied to the data
that is evaluated, which can lead to potential
XSS vulnerabilities.
(Closes: #1084059)
Checksums-Sha1:
5b21196eef482f1cae1d2e2500a233b265f0e6b2 2348
twitter-bootstrap4_4.6.1+dfsg1-5.dsc
e98a1a8175e6450e984d87a197e3afc1aa8716f2 2329588
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
a41320d5ad422f6442c4458a9c12533d7657e7b1 19664
twitter-bootstrap4_4.6.1+dfsg1-5.debian.tar.xz
c6d2b14c256114b58cd78c4c5a90619ba92374c5 16875
twitter-bootstrap4_4.6.1+dfsg1-5_amd64.buildinfo
Checksums-Sha256:
a6ca11e32fe9b62882c19d02b367e35d99c518513e0d1f425eff5e6628db4521 2348
twitter-bootstrap4_4.6.1+dfsg1-5.dsc
a2fdd5c181d592deb7ea7b1676188978cc60ebf182d1e6c4d6c712e0c6eb8a54 2329588
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
7f6195374333238bc26ba7e920034a00bbb7f1df0b277eb14304fae1f22dd301 19664
twitter-bootstrap4_4.6.1+dfsg1-5.debian.tar.xz
e4c70398ebad4dfd471d4ef74ad3839746be5fd4f06e9848c4384eec0eb7b84c 16875
twitter-bootstrap4_4.6.1+dfsg1-5_amd64.buildinfo
Files:
4cd7b6b3c7094985b588d34e2f04748c 2348 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-5.dsc
d0b7793db9e3976ce87f34dda946affa 2329588 javascript optional
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
3e5b7991a926d50f7b7e4506a4e11f45 19664 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-5.debian.tar.xz
43e1274c702300f7785ecc44da367bcd 16875 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmf7rz8ACgkQADoaLapB
CF8KKRAAh1vJAxcO9KZ727bJH0dFGFJ2uNYcna/TkmhezErwSJehjdPOWZVegzu1
nfo4nxKDU7a3jC4Qi9xy1F/jXsNhWqZQngMp12qodiRL6LfUGlDaxgSpy3088CpO
7HFD/x8l2ZD/2q4KO+GwDC7WFDcACOIYmZEjz0Q/24T8qSTddsUj9TbJid5v/ag8
pOwTLxGJRBoFUz+Iv2Zt+Sper0f955PWOnf75t9Oxc3JJQ2tfcMwSwQg6G4j5P2f
1sGJvBrOJ3p2Y/36hi+etjmC3YwiVQXhPRjpC4sbMX8K6SfTuwuviWxd9sGy6iKX
JbavYjjIhkBSc3o8hQYahPcmT185onii9zR1CDM5fDuqxyCQyzClEw37bKzOqmU/
BusjssXkIxwMtqgiOfOKrNs8inHSvBIhJwxRf+YWoHe6TjMK5dvU3Qt0bXudApOo
aq/5LP3a7inl9ivx8RX/8Vb1szPJ4U6ZNrXGOWdX6h7yIHmTB9HdPvX17HPccsbo
6jPtzaH3U2jTZ4dR6reXzQQPzoWFbHEYa/KyPSblWw0X/tDv5f7EyOKrwVDQv5u3
J9ps/IxDQ7vOEm7OIzo2q5tQVv+71Y3v3FqX7DZLjNI29gnsQJ/WKJUb4FcoDM6B
sh9xEaKtrUxIEAZwcxpCQ2v4kcrib8gtKDBPS+ibcfHiiHm1Oc4=
=lj50
-----END PGP SIGNATURE-----
pgpRF0iFHAwLl.pgp
Description: PGP signature
--- End Message ---
