XPost: linux.debian.devel.release
This is a multi-part message in MIME format.
--nextPart9112039.VV5PYv0bhD
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"
Package: release.debian.org
Severity: normal
X-Debbugs-Cc:
twitter-bootstrap3@packages.debian.org
Control: affects -1 + src:twitter-bootstrap3
User:
release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package twitter-bootstrap3
[ Reason ]
CVE-2025-1647
[ Impact ]
CVE-2025-1647 XSS injection
[ Tests ]
Manual using PoC + yadd review
[ Risks ]
Low change are minimal
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Lack of upstream support (EOL)
unblock twitter-bootstrap3/3.4.1+dfsg-6
--nextPart9112039.VV5PYv0bhD
Content-Disposition: attachment; filename="4_6.debdiff" Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; charset="UTF-8"; name="4_6.debdiff"
diff -Nru twitter-bootstrap3-3.4.1+dfsg/debian/changelog twitter-bootstrap3-3.4.1+dfsg/debian/changelog
--- twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-04-10 23:47:00.000000000 +0200
+++ twitter-bootstrap3-3.4.1+dfsg/debian/changelog 2025-06-01 15:39:35.000000000 +0200
@@ -1,3 +1,26 @@
+twitter-bootstrap3 (3.4.1+dfsg-6) unstable; urgency=medium
+
+ * Team upload
+ * Do not refresh patches compared to 3.4.1+dfsg-4 in order
+ to ease unblock to trixie.
+
+ -- Bastien Roucariès <
rouca@debian.org> Sun, 01 Jun 2025 15:39:35 +0200
+
+twitter-bootstrap3 (3.4.1+dfsg-5) unstable; urgency=medium
+
+ * Team upload
+ * Fix CVE-2025-1647 (Closes: #1105899)
+ Improper Neutralization of Input During Web Page
+ Generation (XSS or 'Cross-site Scripting') vulnerability
+ in Bootstrap allows Cross-Site Scripting (XSS)
+ DOM-based cross-site scripting (XSS) via DOM clobbering
+ occurs when an attacker manipulates the Document Object Model
+ (DOM) to overwrite or "clobber" an existing DOM object,
+ leading to the execution of malicious scripts, particularly
+ document.i