Your message dated Sat, 10 May 2025 17:17:11 +0000
with message-id <e1udnp1-00dcoh...@fasolo.debian.org>
and subject line Bug#1084059: fixed in twitter-bootstrap4 4.6.1+dfsg1-4+deb12u1
has caused the Debian Bug report #1084059,
regarding twitter-bootstrap4: CVE-2024-6531
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1084059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: twitter-bootstrap4
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for twitter-bootstrap4.
CVE-2024-6531[0]:
| A vulnerability has been identified in Bootstrap that exposes users
| to Cross-Site Scripting (XSS) attacks. The issue is present in the
| carousel component, where the data-slide and data-slide-to
| attributes can be exploited through the href attribute of an <a> tag
| due to inadequate sanitization. This vulnerability could potentially
| enable attackers to execute arbitrary JavaScript within the victim's
| browser.
https://www.herodevs.com/vulnerability-directory/cve-2024-6531
But I think the bigger issue is that Bootstrap 3 and 4 are EOLed,
so possibly Debian should move to use 5 instead?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6531
https://www.cve.org/CVERecord?id=CVE-2024-6531
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: twitter-bootstrap4
Source-Version: 4.6.1+dfsg1-4+deb12u1
Done: Bastien Roucariès <ro...@debian.org>
We believe that the bug you reported is fixed in the latest version of
twitter-bootstrap4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated twitter-bootstrap4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Apr 2025 13:42:02 +0200
Source: twitter-bootstrap4
Architecture: source
Version: 4.6.1+dfsg1-4+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1084059
Changes:
twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high
.
* Team upload
* Fix CVE-2024-6531 (XSS vulnerability):
An anchor element (<a>), when used for carousel navigation
with a data-slide attribute, can contain an href attribute
value that is not subject to proper content sanitization.
Improper extraction of the intended target carousel’s
#id from the href attribute can lead to use cases where
the click event’s preventDefault()
is not applied and the href is evaluated and executed.
As a result, restrictions are not applied to the data
that is evaluated, which can lead to potential
XSS vulnerabilities.
(Closes: #1084059)
Checksums-Sha1:
f43b2ce6d4a5de6433ea3a35269fe7ab6eeb68fa 2380
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.dsc
e98a1a8175e6450e984d87a197e3afc1aa8716f2 2329588
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
f12c73346cde14a18c778d5835f181e74b92cefd 19672
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.debian.tar.xz
064cc57c991ce4d062d4e495d2520a29ecb8fc1c 17329
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
725b0f3ac95a87e69b3fe3d4c043ace8f6d0014987e227aaabbf7ddba3e74a43 2380
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.dsc
a2fdd5c181d592deb7ea7b1676188978cc60ebf182d1e6c4d6c712e0c6eb8a54 2329588
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
4453c6055268a3e94c836dce62c02561b0eb032ef8d11351a44ed1d34aba82ae 19672
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.debian.tar.xz
011310609c1f578f47171eb00e4728e4564ecded3da1431b5cecdfe64cbbde33 17329
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1_amd64.buildinfo
Files:
9e60f3f9f7f9f2d982f32ff0440aeaf0 2380 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.dsc
d0b7793db9e3976ce87f34dda946affa 2329588 javascript optional
twitter-bootstrap4_4.6.1+dfsg1.orig.tar.xz
cf73c18fed085535fc30958db2c3cbb6 19672 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.debian.tar.xz
f7bb803f3f5e21a1bd13fbbb0bff0219 17329 javascript optional
twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgfd9IACgkQADoaLapB
CF++1BAAqheasCgQUd4+RwYCLmn88lT9mCl3SrYiyINczxFmuGbFxmx2yO36Sw4S
hEWPlQMcC0Gxpk5vwGN+0AnPSr3lufUOG8Q2BzRoA6gJ/3nwnSDbT7Lt72+OPYJn
RmpIG6tGsVhjM4SwwW6BSpaCQ+QH8c87bktUC8PTytaLxotGSwDEXwafc8XwrWZK
yLw6FQWawRcOlhoIvHtIvTZ8dP7nC5NP4RxAbNRT9qqP4/PtCfqC3WZh/q/ApzJ5
VyqLrqh3wCu5N9QN7WiryjRyJzqptRDE6TFzVyPheeoP6xf5YWo3vJ5esqEnqspN
Ta1WiWA9OR06kQtV4Ad53oJJmQIENQkZ+alKBFITtEcwU1mhE9uo4l3dQxSQBRNQ
YTX/L4IFzEOkuguP0vrrH3s/NrEhIYndMly/OySe08QA3AiGZbVSgll2CrQ181Md
tcLwGmaYRDjK6EoB/Vo12h2Y1Y2+NX97/XTwPJGvw9Es1wAxuVM3PgEM0K4zRYp1
wZ7ymbpTfGgIOee+5s9WjVni55+k8qUvFQggZIfLPWcN5qVsMVADhrFedzwJskCq
oRwYVdYXUC5Hd509uwIHDVWO1gP2FNJb0mIzzM3RtD+q9q7dV0Mh27gYn/3fUn4b
xs/fY5lqcaBabZ2U6Hl5nR8vASi7dEQRI4I1O5n+UIabeHzXTks=
=zLSJ
-----END PGP SIGNATURE-----
pgp0IBZokH_GY.pgp
Description: PGP signature
--- End Message ---
