[Git][security-tracker-team/security-tracker][master] Two CVEs originally for Bootstrap rejected

Fri Aug 1 20:33:20 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0c674f3e by Salvatore Bonaccorso at 2025-08-01T21:33:09+02:00
Two CVEs originally for Bootstrap rejected

In the end the were not security issues in Bootstrap. Bootstrap’s
JavaScript is not intended to sanitize unsafe or intentionally dangerous
HTML. As such, the reported behavior fell outside the scope of
Bootstrap’s security model, and the associated CVE has been rescinded.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -113648,14 +113648,8 @@ CVE-2024-6679 (A vulnerability classified as critical has been found in witmy my
 	NOT-FOR-US: witmy my-springsecurity-plus
 CVE-2024-6643
 	REJECTED
-CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes users to ...)
-	{DLA-4125-1}
-	- twitter-bootstrap4 4.6.1+dfsg1-5 (bug #1084059)
-	[bookworm] - twitter-bootstrap4 4.6.1+dfsg1-4+deb12u1
-	- twitter-bootstrap3 <not-affected> (Only affects 4.x)
-	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
-	NOTE: related to CVE-2024-6484/twitter-bootstrap3
-	NOTE: Non-official patch: https://salsa.debian.org/js-team/twitter-bootstrap4/-/blob/1925007041cf88bde02af23c9507ad9e7426e362/debian/patches/0003-CVE-2024-6531.patch
+CVE-2024-6531
+	REJECTED
 CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generation (' ...)
 	NOT-FOR-US: Schneider Electric
 CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that could e ...)
@@ -113665,13 +113659,8 @@ CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that co
 	[bookworm] - twitter-bootstrap3 3.4.1+dfsg-3+deb12u1
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
 	NOTE: Non-official patch: https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf
-CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes users to ...)
-	{DLA-4124-1}
-	- twitter-bootstrap4 <not-affected> (Only affects 3.x)
-	- twitter-bootstrap3 3.4.1+dfsg-4 (bug #1084060)
-	[bookworm] - twitter-bootstrap3 3.4.1+dfsg-3+deb12u1
-	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
-	NOTE: Non-official patch: https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077
+CVE-2024-6484
+	REJECTED
 CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could cause di ...)
 	NOT-FOR-US: Schneider Electric
 CVE-2024-6035 (A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbia ...)


=====================================
data/DLA/list
=====================================
@@ -408,10 +408,9 @@
 	{CVE-2024-56326 CVE-2025-27516}
 	[bullseye] - jinja2 2.11.3-1+deb11u3
 [13 Apr 2025] DLA-4125-1 twitter-bootstrap4 - security update
-	{CVE-2024-6531}
 	[bullseye] - twitter-bootstrap4 4.5.2+dfsg1-8~deb11u2
 [13 Apr 2025] DLA-4124-1 twitter-bootstrap3 - security update
-	{CVE-2024-6484 CVE-2024-6485}
+	{CVE-2024-6485}
 	[bullseye] - twitter-bootstrap3 3.4.1+dfsg-2+deb11u1
 [12 Apr 2025] DLA-4123-1 wpa - security update
 	{CVE-2022-23303 CVE-2022-23304 CVE-2022-37660}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c674f3ec3ddbcf4f161964e8fa41b81cb9190dc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c674f3ec3ddbcf4f161964e8fa41b81cb9190dc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250801/8188bb35/attachment-0001.htm>
