• unblock: twitter-bootstrap3/3.4.1+dfsg-6

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Jun 1 15:49:55 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart9112039.VV5PYv0bhD
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: twitter-bootstrap3@packages.debian.org
    Control: affects -1 + src:twitter-bootstrap3
    User: release.debian.org@packages.debian.org
    Usertags: unblock

    Please unblock package twitter-bootstrap3

    [ Reason ]
    CVE-2025-1647


    [ Impact ]
    CVE-2025-1647 XSS injection


    [ Tests ]
    Manual using PoC + yadd review

    [ Risks ]
    Low change are minimal

    [ Checklist ]
    [X] all changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in testing

    [ Other info ]
    Lack of upstream support (EOL)

    unblock twitter-bootstrap3/3.4.1+dfsg-6

    --nextPart9112039.VV5PYv0bhD
    Content-Disposition: attachment; filename="4_6.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="4_6.debdiff"

    diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
    --- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200
    +++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-06-01 15:39:35.000000000 +0200
    @@ -1,3 +1,26 @@
    +twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium
    +
    + * Team upload
    + * Do not refresh patches compared to 3.4.1+dfsg-4 in order
    + to ease unblock to trixie.
    +
    + -- Bastien Roucariès <rouca@debian.org> Sun, 01 Jun 2025 15:39:35 +0200
    +
    +twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium
    +
    + * Team upload
    + * Fix CVE-2025-1647 (Closes: #1105899)
    + Improper Neutralization of Input During Web Page
    + Generation (XSS or 'Cross-site Scripting') vulnerability
    + in Bootstrap allows Cross-Site Scripting (XSS)
    + DOM-based cross-site scripting (XSS) via DOM clobbering
    + occurs when an attacker manipulates the Document Object Model
    + (DOM) to overwrite or "clobber" an existing DOM object,
    + leading to the execution of malicious scripts, particularly
    + document.i