XPost: linux.debian.devel.release
This is a multi-part message in MIME format.
--nextPart5855010.iIbC2pHGDl
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
twitter-bootstrap4@packages.debian.org
Control: affects -1 + src:twitter-bootstrap4
User:
release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-6531
[ Impact ]
CVE-2024-6531 is not closed
[ Tests ]
No but it tested the PoC
[ Risks ]
Low
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
CVE-2024-6531
[ Other info ]
May need a rebuilt of webpacked/bundled package
--nextPart5855010.iIbC2pHGDl
Content-Disposition: attachment; filename="u1.debdiff" Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; charset="UTF-8"; name="u1.debdiff"
diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/changelog twitter-bootstrap4-4.6.1+dfsg1/debian/changelog
--- twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2022-11-25 06:37:10.000000000 +0100
+++ twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2025-04-13 13:42:02.000000000 +0200
@@ -1,3 +1,21 @@
+twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high
+
+ * Team upload
+ * Fix CVE-2024-6531 (XSS vulnerability):
+ An anchor element (<a>), when used for carousel navigation
+ with a data-slide attribute, can contain an href attribute
+ value that is not subject to proper content sanitization.
+ Improper extraction of the intended target carousel’s
+ #id from the href attribute can lead to use cases where
+ the click event’s preventDefault()
+ is not applied and the href is evaluated and executed.
+ As a result, restrictions are not applied to the data
+ that is evaluated, which can lead to potential
+ XSS vulnerabilities.
+ (Closes: #1084059)
+
+ -- Bastien Roucariès <
rouca@debian.org> Sun, 13 Apr 2025 13:42:02 +0200
+
twitter-bootstrap4 (4.6