Debian Bug report logs -
#907414
twitter-bootstrap3: CVE-2018-14040 CVE-2018-14041 CVE-2018-14042
Reported by: Antoine Beaupre <anarcat@debian.org>
Date: Mon, 27 Aug 2018 18:33:02 UTC
Severity: grave
Tags: security, upstream
Found in version 3.3.7+dfsg-3
Fixed in version twitter-bootstrap3/3.4.0+dfsg-1
Done: Xavier Guimard <yadd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#907414; Package twitter-bootstrap3.
(Mon, 27 Aug 2018 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Mon, 27 Aug 2018 18:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: twitter-bootstrap3
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for twitter-bootstrap3.
CVE-2018-14040[0]:
| In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent
| attribute.
CVE-2018-14041[1]:
| In Bootstrap before 4.1.2, XSS is possible in the data-target property
| of scrollspy.
CVE-2018-14042[2]:
| In Bootstrap before 4.1.2, XSS is possible in the data-container
| property of tooltip.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14040
[1] https://security-tracker.debian.org/tracker/CVE-2018-14041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041
[2] https://security-tracker.debian.org/tracker/CVE-2018-14042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042
Please adjust the affected versions in the BTS as needed.
--
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 27 Aug 2018 19:57:02 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Fri, 04 Jan 2019 07:09:03 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@debian.org>:
Bug acknowledged by developer.
(Fri, 04 Jan 2019 07:09:03 GMT) (full text, mbox, link).
Message #12 received at 907414-close@bugs.debian.org (full text, mbox, reply):
Source: twitter-bootstrap3
Source-Version: 3.4.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
twitter-bootstrap3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907414@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated twitter-bootstrap3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Jan 2019 07:27:13 +0100
Source: twitter-bootstrap3
Binary: libjs-bootstrap
Architecture: source
Version: 3.4.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 907414
Description:
libjs-bootstrap - HTML, CSS and JS framework
Changes:
twitter-bootstrap3 (3.4.0+dfsg-1) unstable; urgency=medium
.
* Team upload
.
[ Antonio Terceiro ]
* debian/rules: use UTC dates to avoid unreproducibility across timezones
during new year's eve/day.
.
[ Jelmer Vernooij ]
* Use secure copyright file specification URI.
.
[ Xavier Guimard ]
* New upstream version 3.4.0+dfsg (Closes: #907414)
* Bump debhelper compatibility level to 12
* Declare compliance with policy 4.3.0
* Update VCS URLs
* Update debian/copyright
* Update lintian overrides
* Change section to javascript
* Add upstream/metadata
* Update upstream changelog
* Remove get-orig-source target in debian/rules
* Update links to https
Checksums-Sha1:
98ef552a000746a54511b2f42c2811a9d1d58c50 2122 twitter-bootstrap3_3.4.0+dfsg-1.dsc
6e154d7cd9051c3f98327040c11d8b641611552b 2007872 twitter-bootstrap3_3.4.0+dfsg.orig.tar.xz
1dc8a8e7fd9d57e9bd19964d6d8f5a14593f6178 51620 twitter-bootstrap3_3.4.0+dfsg-1.debian.tar.xz
Checksums-Sha256:
f7407320a5a2080200a15d89d455d7525a331bfed72b349bfffdf456e689ab5b 2122 twitter-bootstrap3_3.4.0+dfsg-1.dsc
738555a9d39e62ceef37ff7d04f0971d643e8e7f5384f4884ee0ee0c5771c1b2 2007872 twitter-bootstrap3_3.4.0+dfsg.orig.tar.xz
57331bd3a8577ca37adabca671d0d2f39a981977a2e507d62d0ba5446e10af33 51620 twitter-bootstrap3_3.4.0+dfsg-1.debian.tar.xz
Files:
d2fd9ee3fe99328d100a99a92b024d22 2122 javascript optional twitter-bootstrap3_3.4.0+dfsg-1.dsc
b195d03c0357e9aeb141d186c6a5021e 2007872 javascript optional twitter-bootstrap3_3.4.0+dfsg.orig.tar.xz
561ae91f473c6671064a60304304a9d1 51620 javascript optional twitter-bootstrap3_3.4.0+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlwvAM4QHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6cgUD/94+5vS0exS7CrqPlC6xPvG/O7D9lnzEPIy
10rVtnUrjzzzjnXXs7xb/qnOUPKY0REmKk/caYrnYQlBOgR5XLf1SJvBk1YaehAk
+/4f71SxKtmtRZ8pruTMog0hFyebyecro3Thl2SNWNoI6vEvLUy9Aaooz7TZb+Nb
gcL6ob1QAHMWI8mIYhmGmym/L0+gekgbjsFfXEvdUGXaf25jWRzD6puf7ryVH6AF
LkSoxRzKkFmSlzDist8A0HifuuQziV8HynRKllanqDLGfk1h4XhuuPxASbkVXDFG
oEtdOTIReADErVU+Wi6WmCowbVQzJFJ7+U7cUoLtIodBkNX1sIjLlCXhgfPYDWib
dUdBdtXVIzjnAee7aq70R+p2y5AbBR2wNvgRgs9Wmw+SixlSSRDBoiJx6bkgZn+l
Genc56JPZSNZuDQc3uivSF1oBCn0uERZASzQDP4f5B8xJ+lQ6S9yZ4mk4m5pQk/E
tN457V4TG98+NtnLA0VD0MnksLRN6Lu3A8E3WxgVz54dt1aEBt4BdKGpFaC5R3h4
+kMMdqvy3iKCgBKgoqLxcGpiohRH31t/PyVmcdT3/aT6yG2ONVuPueOvsM+CQv5y
LFowYbIaqUVBt9mc2cjJIl5lU7eDhJmkUTpRFhBCuBpDrt/eBQWNlZ9tjlOLMPBO
4vDSajXRhw==
=f35m
-----END PGP SIGNATURE-----
Marked as found in versions 3.3.7+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 09 Jan 2019 06:18:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 06 Feb 2019 07:27:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon