[Pkg-javascript-devel] Bug#1084060: marked as done (twitter-bootstrap3: CVE-2024-6484 CVE-2024-6485)

[Debian Bug Tracking System]

Your message dated Sun, 13 Apr 2025 09:46:26 +0000
with message-id <e1u3tv0-00erjr...@fasolo.debian.org>
and subject line Bug#1084060: fixed in twitter-bootstrap3 3.4.1+dfsg-4
has caused the Debian Bug report #1084060,
regarding twitter-bootstrap3: CVE-2024-6484 CVE-2024-6485
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1084060: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: twitter-bootstrap3
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for twitter-bootstrap3.

CVE-2024-6484[0]:
| A vulnerability has been identified in Bootstrap that exposes users
| to Cross-Site Scripting (XSS) attacks. The issue is present in the
| carousel component, where the data-slide and data-slide-to
| attributes can be exploited through the href attribute of an <a> tag
| due to inadequate sanitization. This vulnerability could potentially
| enable attackers to execute arbitrary JavaScript within the victim's
| browser.

https://www.herodevs.com/vulnerability-directory/cve-2024-6484

CVE-2024-6485[1]:
| A security vulnerability has been discovered in bootstrap that could
| enable Cross-Site Scripting (XSS) attacks. The vulnerability is
| associated with the data-loading-text attribute within the button
| plugin. This vulnerability can be exploited by injecting malicious
| JavaScript code into the attribute, which would then be executed
| when the button's loading state is triggered.

https://www.herodevs.com/vulnerability-directory/cve-2024-6485


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6484
    https://www.cve.org/CVERecord?id=CVE-2024-6484
[1] https://security-tracker.debian.org/tracker/CVE-2024-6485
    https://www.cve.org/CVERecord?id=CVE-2024-6485

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: twitter-bootstrap3
Source-Version: 3.4.1+dfsg-4
Done: Bastien Roucariès <ro...@debian.org>

We believe that the bug you reported is fixed in the latest version of
twitter-bootstrap3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1084...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated twitter-bootstrap3 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Apr 2025 23:47:00 +0200
Source: twitter-bootstrap3
Architecture: source
Version: 3.4.1+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1084060
Changes:
 twitter-bootstrap3 (3.4.1+dfsg-4) unstable; urgency=medium
 .
   * Team upload
   * Fix CVE-2024-6485:
     A security vulnerability has been discovered in bootstrap
     that could enable Cross-Site Scripting (XSS) attacks.
     The vulnerability is associated with the data-loading-text
     attribute within the button plugin.
     This vulnerability can be exploited by injecting malicious
     JavaScript code into the attribute, which would then be
     executed when the button's loading state is triggered.
     (Closes: #1084060)
   * Fix CVE-2024-6484:
     A vulnerability has been identified in Bootstrap that
     exposes users to Cross-Site Scripting (XSS) attacks.
     The issue is present in the carousel component, where the
     data-slide and data-slide-to attributes can be exploited
     through the href attribute of an <a> tag due to inadequate
     sanitization. This vulnerability could potentially enable
     attackers to execute arbitrary JavaScript within
     the victim's browser.
     (Closes: #1084060)
Checksums-Sha1:
 650067765f4c061b4dce67b84c8c542ceb0dae4d 2271 
twitter-bootstrap3_3.4.1+dfsg-4.dsc
 0c1b1b026a103e470bb29f0d54445e44d2ab8f49 2011336 
twitter-bootstrap3_3.4.1+dfsg.orig.tar.xz
 d7f58f390e6305902810fb4a09be21caba2ad892 54968 
twitter-bootstrap3_3.4.1+dfsg-4.debian.tar.xz
 0e1e59b681cae129e7699fa4db0bbe3ae9bbeac9 7712 
twitter-bootstrap3_3.4.1+dfsg-4_amd64.buildinfo
Checksums-Sha256:
 06e387c9dcebadc4420daf00a6164646f723c6c248d96f41cdf9c954ff7dad89 2271 
twitter-bootstrap3_3.4.1+dfsg-4.dsc
 9eb17937c62ff1133779bdca0b2ee62bfc3a8fc3348aef3b197e6020c9ce3528 2011336 
twitter-bootstrap3_3.4.1+dfsg.orig.tar.xz
 abe4cc5ba5dc939a958c38f01b97f845eb824fdcad7bde098f832a37bd447f5d 54968 
twitter-bootstrap3_3.4.1+dfsg-4.debian.tar.xz
 b6482d2a6bb1d6aaef878b913ef787b32f43bf61233475ef025de7d15c348ab3 7712 
twitter-bootstrap3_3.4.1+dfsg-4_amd64.buildinfo
Files:
 e5567c5a66d0a663ffa5cfc71099f05c 2271 javascript optional 
twitter-bootstrap3_3.4.1+dfsg-4.dsc
 504ddae4ecdda987cbe48168d176ab41 2011336 javascript optional 
twitter-bootstrap3_3.4.1+dfsg.orig.tar.xz
 510f8fb5061d9c42af8a978a8b858dce 54968 javascript optional 
twitter-bootstrap3_3.4.1+dfsg-4.debian.tar.xz
 8e66f1ab2bcdeaf6612f8bf958589d10 7712 javascript optional 
twitter-bootstrap3_3.4.1+dfsg-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmf7fCIACgkQADoaLapB
CF936A/9FCyUNgyYjDQJMPBF2gz46UDQ/3zydoAZnhx9e21aZQuP1A/+c4J9iCVr
UTFpiedwegyQ5X+zlAjNzhGRYW7J42eQVHBMYlgpZ8xEdyLcT2eygDRKk3PV0jn5
ncqY6jKNW+5B2eVzsobTi4Y3PQymXh35uaMwrTMWUgK6vh2ILAg8Lp3+4/Z6SRN9
dD2oL9MhgjqtXGXX6D27EsDk4I76Xdfttsk76x6ilkIN+IIJtFr5B5rZpmMeo+v5
v3LRRasvnU40orZFo1yigFY86UVa8q8VeEgp8nHjh0dN2B5g1RTyuvvvs4OTvAXV
PLA2LUH0DLRsDQPs3HP7MDEcR48TOJDkQ+7afitJux3nXnOzB1GGDmZjwfj56Ljv
yzzE1GPb9VtHLDyc95CD5CGW82PAJBObKOP8TDYy1g5Vcls3rNLs9VMBua15OqP7
VnXJVqbQxlmtB4+xIviiOOWbpEDfG9EZa84HTzUN/kNvHgLTBBrWkGI4486Pf4Kz
YO3hGWZxy9ZAJhyArjCgT9E1LPe1R9j3qfQCDIqV7VJN7SN+HTtnYUrmyS347Ge3
3YD50iGKjlMKGc0s7AT7Cg2NQlz6Qi/k+9Ct+9JwzcTy8iQgoFhbCsc9Sd1+CDUR
0t1jgQkD8Ge5t83Z3NgZp6sAdzKI1E33ttGzypJbC+qNMHgaK8k=
=enWZ
-----END PGP SIGNATURE-----

pgpScrpQgfHWN.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel