[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-2067{6,7}/twitter-bootstrap
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 12 14:16:14 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d6f6339d by Salvatore Bonaccorso at 2019-01-12T14:12:54Z
Add CVE-2018-2067{6,7}/twitter-bootstrap
Further analysis showed that src:twitter-boostrap is as well affected by
the CVE-2018-20676 and CVE-2018-20677 issues. The code cannot be
compared easily as 2.x and 3.x diverged a lot but the issue seem present
in the 2.x series.
Thanks: Xavier Guimard <yadd at debian.org>
- - - - -
f2212a50 by Salvatore Bonaccorso at 2019-01-12T14:14:54Z
Update information for CVE-2018-1404{0,2}/twitter-bootstrap
Further analysis showed that src:twitter-boostrap is as well affected by
the CVE-2018-20676 and CVE-2018-20677 issues. The code cannot be
compared easily as 2.x and 3.x diverged a lot but the issue seem present
in the 2.x series.
Wrong conclusion was reached initialy while investigating
src:twitter-bootstrap itself for these two issues.
Thanks: Xavier Guimard <yadd at debian.org>
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1196,6 +1196,8 @@ CVE-2019-5721 (In Wireshark 2.4.0 to 2.4.11, the ENIP dissector could crash. Thi
NOTE: Fix for 2.4.x was a cherry pick of:
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=177962a5b4a05759b40fb6fc07a4a6eec306a9bf (2.5.1)
CVE-2018-20677 (In Bootstrap before 3.4.0, XSS is possible in the affix configuration ...)
+ - twitter-bootstrap <unfixed>
+ [stretch] - twitter-bootstrap <no-dsa> (Minor issue)
- twitter-bootstrap3 3.4.0+dfsg-1
[stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
[jessie] - twitter-bootstrap3 <no-dsa> (Minor issue)
@@ -1205,6 +1207,8 @@ CVE-2018-20677 (In Bootstrap before 3.4.0, XSS is possible in the affix configur
NOTE: https://github.com/twbs/bootstrap/pull/27047
NOTE: https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d (v3.4.0)
CVE-2018-20676 (In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport ...)
+ - twitter-bootstrap <unfixed>
+ [stretch] - twitter-bootstrap <no-dsa> (Minor issue)
- twitter-bootstrap3 3.4.0+dfsg-1
[stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
[jessie] - twitter-bootstrap3 <no-dsa> (Minor issue)
@@ -29940,7 +29944,8 @@ CVE-2018-14044 (The RateTransposer::setChannels function in RateTransposer.cpp i
CVE-2018-14043 (mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file ...)
NOT-FOR-US: mstdlib
CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container ...)
- - twitter-bootstrap <not-affected> (Vulnerable code not present)
+ - twitter-bootstrap <unfixed>
+ [stretch] - twitter-bootstrap <no-dsa> (Minor issue)
- twitter-bootstrap3 3.4.0+dfsg-1 (low; bug #907414)
[stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
[jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not present)
@@ -29965,7 +29970,8 @@ CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target pr
NOTE: https://github.com/twbs/bootstrap/commit/cc61edfa8af7b5ec9d4888c59bf94377e499b78b (v4.1.2)
CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent ...)
{DLA-1479-1}
- - twitter-bootstrap <not-affected> (Vulnerable code not present)
+ - twitter-bootstrap <unfixed>
+ [stretch] - twitter-bootstrap <no-dsa> (Minor issue)
- twitter-bootstrap3 3.4.0+dfsg-1 (low; bug #907414)
[stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/57060a7f9ee2adbf001f892942b8540b9b4cb88d...f2212a50219ee0ca7dc7e866d55f794fe1bc1d44
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/57060a7f9ee2adbf001f892942b8540b9b4cb88d...f2212a50219ee0ca7dc7e866d55f794fe1bc1d44
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190112/7a346eb9/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list