Package: twitter-bootstrap4 / 4.6.2+dfsg-1

Metadata

Package Version Patches format
twitter-bootstrap4 4.6.2+dfsg-1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
do not update copyright year.diff | (download)

build/banner.js | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 avoi updating copyright year during build
 This fixes reproducible debci
dont check for caniuse lite update.patch | (download)

.babelrc.js | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 don't check for node-canuise-lite update
0003 CVE 2024 6531.patch | (download)

js/src/carousel.js | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 cve-2024-6531
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

An anchor element (<a>), when used for carousel navigation with a data-slide attribute,
can contain an href attribute value that is not subject to proper content sanitization.
Improper extraction of the intended target carousels #id from the href attribute
can lead to use cases where the click events preventDefault()
is not applied and the href is evaluated and executed.
As a result, restrictions are not applied to the data that is evaluated, which
can lead to potential XSS vulnerabilities.

return false in case of error that will avoid the XSS attack, and avoid further
treatment by the handler.

bug: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084059
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-6531