--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello, twitter-bootstrap3 has some CVEs to fix (issues marked as
no-dsa). This patch imports related fix from twitter-bootstrap 3.4.
Cheers,
Xavier
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/changelog twitter-bootstrap3-3.3.7+dfsg/debian/changelog
--- twitter-bootstrap3-3.3.7+dfsg/debian/changelog 2016-10-24 14:45:58.000000000 +0200
+++ twitter-bootstrap3-3.3.7+dfsg/debian/changelog 2019-01-06 23:34:50.000000000 +0100
@@ -1,3 +1,11 @@
+twitter-bootstrap3 (3.3.7+dfsg-2+deb9u1) stretch; urgency=high
+
+ * Team upload.
+ * Fix multiples XSS vulnerabilities (Closes: #907414)
+ * Update debian/copyright
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 06 Jan 2019 23:34:50 +0100
+
twitter-bootstrap3 (3.3.7+dfsg-2) unstable; urgency=medium
* Team upload
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/copyright twitter-bootstrap3-3.3.7+dfsg/debian/copyright
--- twitter-bootstrap3-3.3.7+dfsg/debian/copyright 2016-10-24 14:45:58.000000000 +0200
+++ twitter-bootstrap3-3.3.7+dfsg/debian/copyright 2019-01-06 23:34:36.000000000 +0100
@@ -9,7 +9,7 @@
js/tests/vendor/jquery.min.js
Files: *
-Copyright: 2011-2015, Twitter, Inc.
+Copyright: 2011-2018, Twitter, Inc.
2014, jQuery Foundation and other contributors
2014, "Cowboy" Ben Alman, contributors
HTML5 Boilerplate
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch
--- twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch 1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch 2019-01-06 23:34:15.000000000 +0100
@@ -0,0 +1,305 @@
+Description: Fix multies vulnerabilities
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92
+Bug: https://github.com/twbs/bootstrap/pull/26630
+Bug-Debian: https://bugs.debian.org/907414
+Forwarded: not-needed
+Last-Update: 2019-01-06
+
+--- a/dist/js/bootstrap.js
++++ b/dist/js/bootstrap.js
+@@ -1,6 +1,6 @@
+ /*!
+ * Bootstrap v3.3.7 (http://getbootstrap.com)
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under the MIT license
+ */
+
+@@ -109,7 +109,8 @@
+ selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+ }
+
+- var $parent = $(selector === '#' ? [] : selector)
++ selector = selector === '#' ? [] : selector
++ var $parent = $(document).find(selector)
+
+ if (e) e.preventDefault()
+
+@@ -443,7 +444,9 @@
+ var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid"
+ if ($.support.transition && this.$element.hasClass('slide')) {
+ $next.addClass(type)
+- $next[0].offsetWidth // force reflow
++ if (typeof $next === 'object' && $next.length) {
++ $next[0].offsetWidth // force reflow
++ }
+ $active.addClass(direction)
+ $next.addClass(direction)
+ $active
+@@ -505,10 +508,17 @@
+ // =================
+
+ var clickHandler = function (e) {
+- var href
+ var $this = $(this)
+- var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
++ var href = $this.attr('href')
++ if (href) {
++ href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
++ }
++
++ var target = $this.attr('data-target') || href
++ var $target = $(document).find(target)
++
+ if (!$target.hasClass('carousel')) return
++
+ var options = $.extend({}, $target.data(), $this.data())
+ var slideIndex = $this.attr('data-slide-to')
+ if (slideIndex) options.interval = false
+@@ -674,7 +684,7 @@
+ }
+
+ Collapse.prototype.getParent = function () {
+- return $(this.options.parent)
++ return $(document).find(this.options.parent)
+ .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]')
+ .each($.proxy(function (i, element) {
+ var $element = $(element)
+@@ -697,7 +707,7 @@
+ var target = $trigger.attr('data-target')
+ || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+
+- return $(target)
++ return $(document).find(target)
+ }
+
+
+@@ -779,7 +789,7 @@
+ selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+ }
+
+- var $parent = selector && $(selector)
++ var $parent = selector && $(document).find(selector)
+
+ return $parent && $parent.length ? $parent : $this.parent()
+ }
+@@ -1307,7 +1317,7 @@
+ this.type = type
+ this.$element = $(element)
+ this.options = this.getOptions(options)
+- this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
++ this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+ this.inState = { click: false, hover: false, focus: false }
+
+ if (this.$element[0] instanceof document.constructor && !this.options.selector) {
+@@ -1460,7 +1470,7 @@
+ .addClass(placement)
+ .data('bs.' + this.type, this)
+
+- this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element)
++ this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element)
+ this.$element.trigger('inserted.bs.' + this.type)
+
+ var pos = this.getPosition()
+@@ -2107,7 +2117,7 @@
+
+ if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return
+
+- var $target = $(selector)
++ var $target = $(document).find(selector)
+
+ this.activate($this.closest('li'), $ul)
+ this.activate($target, $target.parent(), function () {
+--- a/js/affix.js
++++ b/js/affix.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: affix.js v3.3.7
+ * http://getbootstrap.com/javascript/#affix
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -16,7 +16,9 @@
+ var Affix = function (element, options) {
+ this.options = $.extend({}, Affix.DEFAULTS, options)
+
+- this.$target = $(this.options.target)
++ var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target)
++
++ this.$target = target
+ .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this))
+ .on('click.bs.affix.data-api', $.proxy(this.checkPositionWithEventLoop, this))
+
+--- a/js/alert.js
++++ b/js/alert.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: alert.js v3.3.7
+ * http://getbootstrap.com/javascript/#alerts
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -31,7 +31,8 @@
+ selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+ }
+
+- var $parent = $(selector === '#' ? [] : selector)
++ selector = selector === '#' ? [] : selector
++ var $parent = $(document).find(selector)
+
+ if (e) e.preventDefault()
+
+--- a/js/carousel.js
++++ b/js/carousel.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: carousel.js v3.3.7
+ * http://getbootstrap.com/javascript/#carousel
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -144,7 +144,9 @@
+ var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid"
+ if ($.support.transition && this.$element.hasClass('slide')) {
+ $next.addClass(type)
+- $next[0].offsetWidth // force reflow
++ if (typeof $next === 'object' && $next.length) {
++ $next[0].offsetWidth // force reflow
++ }
+ $active.addClass(direction)
+ $next.addClass(direction)
+ $active
+@@ -206,10 +208,17 @@
+ // =================
+
+ var clickHandler = function (e) {
+- var href
+ var $this = $(this)
+- var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
++ var href = $this.attr('href')
++ if (href) {
++ href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
++ }
++
++ var target = $this.attr('data-target') || href
++ var $target = $(document).find(target)
++
+ if (!$target.hasClass('carousel')) return
++
+ var options = $.extend({}, $target.data(), $this.data())
+ var slideIndex = $this.attr('data-slide-to')
+ if (slideIndex) options.interval = false
+--- a/js/collapse.js
++++ b/js/collapse.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: collapse.js v3.3.7
+ * http://getbootstrap.com/javascript/#collapse
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -137,7 +137,7 @@
+ }
+
+ Collapse.prototype.getParent = function () {
+- return $(this.options.parent)
++ return $(document).find(this.options.parent)
+ .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]')
+ .each($.proxy(function (i, element) {
+ var $element = $(element)
+@@ -160,7 +160,7 @@
+ var target = $trigger.attr('data-target')
+ || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+
+- return $(target)
++ return $(document).find(target)
+ }
+
+
+--- a/js/dropdown.js
++++ b/js/dropdown.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: dropdown.js v3.3.7
+ * http://getbootstrap.com/javascript/#dropdowns
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -19,7 +19,7 @@
+ $(element).on('click.bs.dropdown', this.toggle)
+ }
+
+- Dropdown.VERSION = '3.3.7'
++ Dropdown.VERSION = '3.4.0'
+
+ function getParent($this) {
+ var selector = $this.attr('data-target')
+@@ -29,7 +29,7 @@
+ selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
+ }
+
+- var $parent = selector && $(selector)
++ var $parent = selector && $(document).find(selector)
+
+ return $parent && $parent.length ? $parent : $this.parent()
+ }
+--- a/js/tab.js
++++ b/js/tab.js
+@@ -2,7 +2,7 @@
+ * Bootstrap: tab.js v3.3.7
+ * http://getbootstrap.com/javascript/#tabs
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -48,7 +48,7 @@
+
+ if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return
+
+- var $target = $(selector)
++ var $target = $(document).find(selector)
+
+ this.activate($this.closest('li'), $ul)
+ this.activate($target, $target.parent(), function () {
+--- a/js/tooltip.js
++++ b/js/tooltip.js
+@@ -3,7 +3,7 @@
+ * http://getbootstrap.com/javascript/#tooltip
+ * Inspired by the original jQuery.tipsy by Jason Frame
+ * ========================================================================
+- * Copyright 2011-2016 Twitter, Inc.
++ * Copyright 2011-2018 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ * ======================================================================== */
+
+@@ -51,7 +51,7 @@
+ this.type = type
+ this.$element = $(element)
+ this.options = this.getOptions(options)
+- this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
++ this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+ this.inState = { click: false, hover: false, focus: false }
+
+ if (this.$element[0] instanceof document.constructor && !this.options.selector) {
+@@ -204,7 +204,7 @@
+ .addClass(placement)
+ .data('bs.' + this.type, this)
+
+- this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element)
++ this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element)
+ this.$element.trigger('inserted.bs.' + this.type)
+
+ var pos = this.getPosition()
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/series twitter-bootstrap3-3.3.7+dfsg/debian/patches/series
--- twitter-bootstrap3-3.3.7+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/series 2019-01-06 23:30:34.000000000 +0100
@@ -0,0 +1 @@
+fix-xss-vulnerabilities.patch
--- End Message ---