[Git][security-tracker-team/security-tracker][master] 6 commits: Add tag information for CVE-2018-20677/twitter-bootstrap3 upstream fix

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
85d8d052 by Salvatore Bonaccorso at 2019-01-10T21:28:08Z
Add tag information for CVE-2018-20677/twitter-bootstrap3 upstream fix

- - - - -
dfee1504 by Salvatore Bonaccorso at 2019-01-10T21:28:39Z
Add CVE-2018-20676/twitter-bootstrap3 (specific to 3.x series)

- - - - -
bde9ba7e by Salvatore Bonaccorso at 2019-01-10T21:29:12Z
Clarify commits for CVE-2018-14042

- - - - -
7e9a5213 by Salvatore Bonaccorso at 2019-01-10T21:29:31Z
Reference fix for CVE-2018-14041

- - - - -
696ae8a2 by Salvatore Bonaccorso at 2019-01-10T21:29:49Z
Update commit references for CVE-2018-14040

- - - - -
5d7b5a82 by Salvatore Bonaccorso at 2019-01-10T21:30:12Z
Track fix for CVE-2018-20676/twitter-bootstrap3 via stretch-pu update

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -867,9 +867,15 @@ CVE-2018-20677 (In Bootstrap before 3.4.0, XSS is possible in the affix configur
 	NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
 	NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
 	NOTE: https://github.com/twbs/bootstrap/pull/27047
-	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
+	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0)
 CVE-2018-20676 (In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport ...)
-	TODO: check
+	- twitter-bootstrap3 3.4.0+dfsg-1
+	[stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
+	NOTE: https://github.com/twbs/bootstrap/issues/27044
+	NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
+	NOTE: https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
+	NOTE: https://github.com/twbs/bootstrap/pull/27047
+	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0)
 CVE-2018-20675 (D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before ...)
 	NOT-FOR-US: D-Link
 CVE-2018-20674 (D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before ...)
@@ -29580,7 +29586,8 @@ CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container
 	NOTE: https://github.com/twbs/bootstrap/pull/26630
 	NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92
 	NOTE: https://snyk.io/vuln/npm:bootstrap:20180529
-	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
+	NOTE: https://github.com/twbs/bootstrap/commit/2d90d369bbc2bd2647620246c55cec8c4705e3d0 (v4.1.2)
+	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0)
 CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target property ...)
 	- twitter-bootstrap <not-affected> (Vulnerable code not present)
 	- twitter-bootstrap3 <not-affected> (Vulnerable code not present)
@@ -29591,6 +29598,7 @@ CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target pr
 	NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3229efc0811df29765c1d0a949c85362378b0628
 	NOTE: https://snyk.io/vuln/npm:bootstrap:20160627
 	NOTE: https://snyk.io/vuln/npm:bootstrap:20180529
+	NOTE: https://github.com/twbs/bootstrap/commit/cc61edfa8af7b5ec9d4888c59bf94377e499b78b (v4.1.2)
 CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent ...)
 	{DLA-1479-1}
 	- twitter-bootstrap <not-affected> (Vulnerable code not present)
@@ -29602,7 +29610,8 @@ CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-
 	NOTE: https://github.com/twbs/bootstrap/pull/26630
 	NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3ba186313e9e651bbd52a6a3a0305891dee0a621
 	NOTE: https://snyk.io/vuln/npm:bootstrap:20180529
-	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
+	NOTE: https://github.com/twbs/bootstrap/commit/149096016f70fd815540d62c0989fd99cdc809e0 (v4.1.2)
+	NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0)
 CVE-2018-14039
 	RESERVED
 CVE-2018-14038


=====================================
data/next-point-update.txt
=====================================
@@ -126,5 +126,7 @@ CVE-2018-14040
 	[stretch] - twitter-bootstrap3 3.3.7+dfsg-3+deb9u1
 CVE-2018-14042
 	[stretch] - twitter-bootstrap3 3.3.7+dfsg-3+deb9u1
+CVE-2018-20676
+	[stretch] - twitter-bootstrap3 3.3.7+dfsg-3+deb9u1
 CVE-2018-20677
 	[stretch] - twitter-bootstrap3 3.3.7+dfsg-3+deb9u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ed2ce94e78778badbefd7852f1357a563527eb8b...5d7b5a82c01960e5996d460cfc88024964417e67

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ed2ce94e78778badbefd7852f1357a563527eb8b...5d7b5a82c01960e5996d460cfc88024964417e67
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190110/66911683/attachment-0001.html>