Version in base suite: 4.6.1+dfsg1-4 Base version: twitter-bootstrap4_4.6.1+dfsg1-4 Target version: twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/twitter-bootstrap4/twitter-bootstrap4_4.6.1+dfsg1-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/twitter-bootstrap4/twitter-bootstrap4_4.6.1+dfsg1-4+deb12u1.dsc changelog | 18 +++++++++++++++ patches/0003-CVE-2024-6531.patch | 45 +++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 64 insertions(+) diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/changelog twitter-bootstrap4-4.6.1+dfsg1/debian/changelog --- twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2022-11-25 05:37:10.000000000 +0000 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/changelog 2025-04-13 11:42:02.000000000 +0000 @@ -1,3 +1,21 @@ +twitter-bootstrap4 (4.6.1+dfsg1-4+deb12u1) bookworm; urgency=high + + * Team upload + * Fix CVE-2024-6531 (XSS vulnerability): + An anchor element (), when used for carousel navigation + with a data-slide attribute, can contain an href attribute + value that is not subject to proper content sanitization. + Improper extraction of the intended target carousel’s + #id from the href attribute can lead to use cases where + the click event’s preventDefault() + is not applied and the href is evaluated and executed. + As a result, restrictions are not applied to the data + that is evaluated, which can lead to potential + XSS vulnerabilities. + (Closes: #1084059) + + -- Bastien Roucariès Sun, 13 Apr 2025 13:42:02 +0200 + twitter-bootstrap4 (4.6.1+dfsg1-4) unstable; urgency=medium * Team upload diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch --- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch 1970-01-01 00:00:00.000000000 +0000 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/0003-CVE-2024-6531.patch 2025-04-13 11:42:02.000000000 +0000 @@ -0,0 +1,45 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Sun, 13 Apr 2025 12:33:22 +0200 +Subject: CVE-2024-6531 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +An anchor element (), when used for carousel navigation with a data-slide attribute, +can contain an href attribute value that is not subject to proper content sanitization. +Improper extraction of the intended target carousel’s #id from the href attribute +can lead to use cases where the click event’s preventDefault() +is not applied and the href is evaluated and executed. +As a result, restrictions are not applied to the data that is evaluated, which +can lead to potential XSS vulnerabilities. + +return false in case of error that will avoid the XSS attack, and avoid further +treatment by the handler. + +bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6531 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-6531 +--- + js/src/carousel.js | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/js/src/carousel.js b/js/src/carousel.js +index 18732d0..9447da6 100644 +--- a/js/src/carousel.js ++++ b/js/src/carousel.js +@@ -543,13 +543,13 @@ class Carousel { + const selector = Util.getSelectorFromElement(this) + + if (!selector) { +- return ++ return false + } + + const target = $(selector)[0] + + if (!target || !$(target).hasClass(CLASS_NAME_CAROUSEL)) { +- return ++ return false + } + + const config = { diff -Nru twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series --- twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series 2021-07-30 04:53:16.000000000 +0000 +++ twitter-bootstrap4-4.6.1+dfsg1/debian/patches/series 2025-04-13 11:42:02.000000000 +0000 @@ -1,2 +1,3 @@ do-not-update-copyright-year.diff dont-check-for-caniuse-lite-update.patch +0003-CVE-2024-6531.patch