• bookworm-pu: package twitter-bootstrap4/4.6.1+dfsg1-4+deb12u1

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Apr 13 14:53:57 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart5855010.iIbC2pHGDl
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: twitter-bootstrap4@packages.debian.org
    Control: affects -1 + src:twitter-bootstrap4
    User: release.debian.org@packages.debian.org
    Usertags: pu


    [ Reason ]
    CVE-2024-6531

    [ Impact ]
    CVE-2024-6531 is not closed

    [ Tests ]
    No but it tested the PoC

    [ Risks ]
    Low

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    CVE-2024-6531

    [ Other info ]
    May need a rebuilt of webpacked/bundled package

    --nextPart5855010.iIbC2pHGDl
    Content-Disposition: attachment; filename="u1.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="u1.debdiff"

    diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/changelog twitter-bootstrap4-4.6.1+dfsg1/debian/changelog
    --- twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2022-11-25 06:37:10.000000000 +0100
    +++ twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2025-04-13 13:42:02.000000000 +0200
    @@ -1,3 +1,21 @@
    +twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high
    +
    + * Team upload
    + * Fix CVE-2024-6531 (XSS vulnerability):
    + An anchor element (<a>), when used for carousel navigation
    + with a data-slide attribute, can contain an href attribute
    + value that is not subject to proper content sanitization.
    + Improper extraction of the intended target carousel’s
    + #id from the href attribute can lead to use cases where
    + the click event’s preventDefault()
    + is not applied and the href is evaluated and executed.
    + As a result, restrictions are not applied to the data
    + that is evaluated, which can lead to potential
    + XSS vulnerabilities.
    + (Closes: #1084059)
    +
    + -- Bastien Roucariès <rouca@debian.org> Sun, 13 Apr 2025 13:42:02 +0200
    +
    twitter-bootstrap4 (4.6