Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update

To: debian-lts@lists.debian.org
Cc: Santiago Ruano Rincón <santiagorr@riseup.net>
Subject: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
From: Bastien Roucaries <rouca@debian.org>
Date: Mon, 14 Apr 2025 09:06:47 +0200
Message-id: <[🔎] 5086292.BEx9A2HvPv@debian-ei>
In-reply-to: <[🔎] Z_xaUgDRcNx8A1dS@voleno>
References: <18fbb88326927189baac6da9d478079d@debian.org> <[🔎] Z_xaUgDRcNx8A1dS@voleno>

Le lundi 14 avril 2025, 02:44:02 heure d’été d’Europe centrale Santiago Ruano 
Rincón a écrit :
> Hi Bastien,
> 
> El 13/04/25 a las 16:15, rouca@debian.org escribió:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > -
> > -------------------------------------------------------------------------
> > Debian LTS Advisory DLA-4124-1                debian-lts@lists.debian.org
> > https://www.debian.org/lts/security/                   Bastien Roucariès
> > April 13, 2025                                https://wiki.debian.org/LTS
> > -
> > -------------------------------------------------------------------------
> > 
> > Package        : twitter-bootstrap3
> > Version        : 3.4.1+dfsg-2+deb11u1
> > CVE ID         : CVE-2024-6484 CVE-2024-6485
> > Debian Bug     : 1084060
> > 
> > Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS
> > framework, was affected by XSS vulnerabilities.
> > 
> > If you use bootstrap through a module bundler, you may need to rebuild
> > your
> > application.
> > 
> > For Debian 11 bullseye, these problems have been fixed in version
> > 3.4.1+dfsg-2+deb11u1.
> 
> [snip]
> 
> Thanks a lot for handling these updates.
> 
> You mentioned that this (and twitter-bootstrap4's DLA 4125-1) would
> require rebuilding some reverse dependencies. Do you already have a list
> of the affected reverse dependencies?

I do not know the full extend of the problem because it will need a manual 
analysis of package in the list.txt joined. This list is the actual build-
depends on libjs-bootstrap package for bullseye.

Some post build link (dynamic or kind of) to bootstrap so are not affected, and 
does not need rebuild

> 
> For next time, I guess it would be useful to include the rebuilt
> packages in the same DLA, as we have made a couple of times with golang
> packages.

Not sure about this. This is not a BinNMU but a source NMU so it need a new 
version and thus a DLA per package

Regards

Bastien
> 
> Thanks!
> 
>  -- Santiago

bazel-bootstrap
borgbackup
debci
eonasdan-bootstrap-datetimepicker
fmtlib
freedombox
glewlwyd
jupyter-notebook
jupyter-sphinx-theme
kapidox
keepassxc-browser
lava
libminion-perl
libmojolicious-perl
macaulay2
node-gulp-sourcemaps
ontospy
orthanc-dicomweb
pagure
php-codecoverage
python-vispy
r-cran-shiny
ruby-bootstrap-switch-rails
ruby-sidekiq
supysonic
syncthing
toppic

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
  - From: Bastien Roucaries <rouca@debian.org>

References:
- Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat
Next by Date: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Previous by thread: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Next by thread: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Index(es):
- Date
- Thread