Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update

To: debian-lts@lists.debian.org
Cc: Santiago Ruano Rincón <santiagorr@riseup.net>, Bastien Roucaries <rouca@debian.org>
Subject: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
From: Bastien Roucaries <rouca@debian.org>
Date: Mon, 14 Apr 2025 18:53:31 +0200
Message-id: <[🔎] 26808144.ouqheUzb2q@debian-ei>
In-reply-to: <[🔎] 5086292.BEx9A2HvPv@debian-ei>
References: <18fbb88326927189baac6da9d478079d@debian.org> <[🔎] Z_xaUgDRcNx8A1dS@voleno> <[🔎] 5086292.BEx9A2HvPv@debian-ei>

Le lundi 14 avril 2025, 09:06:47 heure d’été d’Europe centrale Bastien 
Roucaries a écrit :
> Le lundi 14 avril 2025, 02:44:02 heure d’été d’Europe centrale Santiago
> Ruano
> Rincón a écrit :
> > Hi Bastien,
> > 
> > El 13/04/25 a las 16:15, rouca@debian.org escribió:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > > 
> > > -
> > > ------------------------------------------------------------------------
> > > -
> > > Debian LTS Advisory DLA-4124-1               
> > > debian-lts@lists.debian.org
> > > https://www.debian.org/lts/security/                   Bastien Roucariès
> > > April 13, 2025                               
> > > https://wiki.debian.org/LTS
> > > -
> > > ------------------------------------------------------------------------
> > > -
> > > 
> > > Package        : twitter-bootstrap3
> > > Version        : 3.4.1+dfsg-2+deb11u1
> > > CVE ID         : CVE-2024-6484 CVE-2024-6485
> > > Debian Bug     : 1084060
> > > 
> > > Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS
> > > framework, was affected by XSS vulnerabilities.
> > > 
> > > If you use bootstrap through a module bundler, you may need to rebuild
> > > your
> > > application.
> > > 
> > > For Debian 11 bullseye, these problems have been fixed in version
> > > 3.4.1+dfsg-2+deb11u1.
> > 
> > [snip]
> > 
> > Thanks a lot for handling these updates.
> > 
> > You mentioned that this (and twitter-bootstrap4's DLA 4125-1) would
> > require rebuilding some reverse dependencies. Do you already have a list
> > of the affected reverse dependencies?
> 
> I do not know the full extend of the problem because it will need a manual
> analysis of package in the list.txt joined. This list is the actual build-
> depends on libjs-bootstrap package for bullseye.
> 
> Some post build link (dynamic or kind of) to bootstrap so are not affected,
> and does not need rebuild

Ok first build will need (afet manual check)
bazel-bootstrap
glewlwyd
jupyter-notebook
jupyter-sphinx-theme (need rebuild every depend on it)
kapidox (need rebuild every depend on it)
keepassxc-browser (need rebuild copy instead of link due to firefox bug  
#992263)
lava (do not use debian patch but own embeded copy)
ontospy (need rebuild and every depends on it)
orthanc-dicomweb
ruby-bootstrap-switch-rails (need rebuild every depend on it no need to 
rebuild itself)
syncthing (copy no link so need rebuild)

I do not find B-D on jupyter-sphinx-theme, kapidox , ruby-bootstrap-switch-
rails (please cross check) so only 11 packages

Bastien
> 
> > For next time, I guess it would be useful to include the rebuilt
> > packages in the same DLA, as we have made a couple of times with golang
> > packages.
> 
> Not sure about this. This is not a BinNMU but a source NMU so it need a new
> version and thus a DLA per package
> 
> Regards
> 
> Bastien
> 
> > Thanks!
> > 
> >  -- Santiago

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
  - From: Bastien Roucaries <rouca@debian.org>

Prev by Date: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Next by Date: grub2 update procedure
Previous by thread: Re: [SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
Next by thread: Debian LTS BoF at DebConf 25?
Index(es):
- Date
- Thread