El 05/12/24 a las 18:10, Sylvain Beucler escribió:
Any opinion on this? :)
Thanks for this ping, Sylvain.
I thought I had mentioned somewhere than Daniel Baumann showed some
interests in working on those CVEs, but that was some time ago. I
ping'ed him 15 days ago, and I am pinging him again. Without answer, I
will consider contacting herodevs.
On a related topic, I filed bugs for all the packages (build-)depending
on twitter-bootstrap3 and twitter-bootstrap4:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-lts@lists.debian.org
Cheers,
On 20/11/2024 09:03, Sylvain Beucler wrote:
twitter-bootstrap3&4 have been sitting for a while in the FD and dla/
ela-needed queues.
Context:
- EOL'd
https://getbootstrap.com/docs/4.6/end-of-life/
"Bootstrap 3 reached end of life July 24, 2019, followed by Bootstrap 4
on January 1, 2023."
- Affected by CVE-2024-6484, CVE-2024-6485, CVE-2024-6531
(affecting 3.x or 4.x, but not 5.x/current)
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6484
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6485
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6531
- Support and fixes are officially available through HeroDevs:
"for those who can’t upgrade just yet and have compliance or security
requirements, we’re introducing Never-Ending Support for Bootstrap 3 and
4 with HeroDevs."
https://www.herodevs.com/support/nes-bootstrap
AFAICS this is non-free and private.
- Other distros don't seem to consider these CVEs.
This is triaged in bookworm with:
<postponed> (Minor issue, revisit when fixed upstream)
but this has much likely no chances to happen, because EOL'd.
Do we want to reach out to HeroDevs?
Do we want to EOL these packages?
Do we want to try and fix this ourselves?