Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, twitter-bootstrap3 has some CVEs to fix (issues marked as no-dsa). This patch imports related fix from twitter-bootstrap 3.4. Cheers, Xavier -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/changelog twitter-bootstrap3-3.3.7+dfsg/debian/changelog --- twitter-bootstrap3-3.3.7+dfsg/debian/changelog 2016-10-24 14:45:58.000000000 +0200 +++ twitter-bootstrap3-3.3.7+dfsg/debian/changelog 2019-01-06 23:34:50.000000000 +0100 @@ -1,3 +1,11 @@ +twitter-bootstrap3 (3.3.7+dfsg-2+deb9u1) stretch; urgency=high + + * Team upload. + * Fix multiples XSS vulnerabilities (Closes: #907414) + * Update debian/copyright + + -- Xavier Guimard <y...@debian.org> Sun, 06 Jan 2019 23:34:50 +0100 + twitter-bootstrap3 (3.3.7+dfsg-2) unstable; urgency=medium * Team upload diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/copyright twitter-bootstrap3-3.3.7+dfsg/debian/copyright --- twitter-bootstrap3-3.3.7+dfsg/debian/copyright 2016-10-24 14:45:58.000000000 +0200 +++ twitter-bootstrap3-3.3.7+dfsg/debian/copyright 2019-01-06 23:34:36.000000000 +0100 @@ -9,7 +9,7 @@ js/tests/vendor/jquery.min.js Files: * -Copyright: 2011-2015, Twitter, Inc. +Copyright: 2011-2018, Twitter, Inc. 2014, jQuery Foundation and other contributors 2014, "Cowboy" Ben Alman, contributors HTML5 Boilerplate diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch --- twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/fix-xss-vulnerabilities.patch 2019-01-06 23:34:15.000000000 +0100 @@ -0,0 +1,305 @@ +Description: Fix multies vulnerabilities +Author: Xavier Guimard <y...@debian.org> +Origin: upstream, https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92 +Bug: https://github.com/twbs/bootstrap/pull/26630 +Bug-Debian: https://bugs.debian.org/907414 +Forwarded: not-needed +Last-Update: 2019-01-06 + +--- a/dist/js/bootstrap.js ++++ b/dist/js/bootstrap.js +@@ -1,6 +1,6 @@ + /*! + * Bootstrap v3.3.7 (http://getbootstrap.com) +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under the MIT license + */ + +@@ -109,7 +109,8 @@ + selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7 + } + +- var $parent = $(selector === '#' ? [] : selector) ++ selector = selector === '#' ? [] : selector ++ var $parent = $(document).find(selector) + + if (e) e.preventDefault() + +@@ -443,7 +444,9 @@ + var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid" + if ($.support.transition && this.$element.hasClass('slide')) { + $next.addClass(type) +- $next[0].offsetWidth // force reflow ++ if (typeof $next === 'object' && $next.length) { ++ $next[0].offsetWidth // force reflow ++ } + $active.addClass(direction) + $next.addClass(direction) + $active +@@ -505,10 +508,17 @@ + // ================= + + var clickHandler = function (e) { +- var href + var $this = $(this) +- var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7 ++ var href = $this.attr('href') ++ if (href) { ++ href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7 ++ } ++ ++ var target = $this.attr('data-target') || href ++ var $target = $(document).find(target) ++ + if (!$target.hasClass('carousel')) return ++ + var options = $.extend({}, $target.data(), $this.data()) + var slideIndex = $this.attr('data-slide-to') + if (slideIndex) options.interval = false +@@ -674,7 +684,7 @@ + } + + Collapse.prototype.getParent = function () { +- return $(this.options.parent) ++ return $(document).find(this.options.parent) + .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]') + .each($.proxy(function (i, element) { + var $element = $(element) +@@ -697,7 +707,7 @@ + var target = $trigger.attr('data-target') + || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7 + +- return $(target) ++ return $(document).find(target) + } + + +@@ -779,7 +789,7 @@ + selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7 + } + +- var $parent = selector && $(selector) ++ var $parent = selector && $(document).find(selector) + + return $parent && $parent.length ? $parent : $this.parent() + } +@@ -1307,7 +1317,7 @@ + this.type = type + this.$element = $(element) + this.options = this.getOptions(options) +- this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) ++ this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) + this.inState = { click: false, hover: false, focus: false } + + if (this.$element[0] instanceof document.constructor && !this.options.selector) { +@@ -1460,7 +1470,7 @@ + .addClass(placement) + .data('bs.' + this.type, this) + +- this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element) ++ this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element) + this.$element.trigger('inserted.bs.' + this.type) + + var pos = this.getPosition() +@@ -2107,7 +2117,7 @@ + + if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return + +- var $target = $(selector) ++ var $target = $(document).find(selector) + + this.activate($this.closest('li'), $ul) + this.activate($target, $target.parent(), function () { +--- a/js/affix.js ++++ b/js/affix.js +@@ -2,7 +2,7 @@ + * Bootstrap: affix.js v3.3.7 + * http://getbootstrap.com/javascript/#affix + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -16,7 +16,9 @@ + var Affix = function (element, options) { + this.options = $.extend({}, Affix.DEFAULTS, options) + +- this.$target = $(this.options.target) ++ var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target) ++ ++ this.$target = target + .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this)) + .on('click.bs.affix.data-api', $.proxy(this.checkPositionWithEventLoop, this)) + +--- a/js/alert.js ++++ b/js/alert.js +@@ -2,7 +2,7 @@ + * Bootstrap: alert.js v3.3.7 + * http://getbootstrap.com/javascript/#alerts + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -31,7 +31,8 @@ + selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7 + } + +- var $parent = $(selector === '#' ? [] : selector) ++ selector = selector === '#' ? [] : selector ++ var $parent = $(document).find(selector) + + if (e) e.preventDefault() + +--- a/js/carousel.js ++++ b/js/carousel.js +@@ -2,7 +2,7 @@ + * Bootstrap: carousel.js v3.3.7 + * http://getbootstrap.com/javascript/#carousel + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -144,7 +144,9 @@ + var slidEvent = $.Event('slid.bs.carousel', { relatedTarget: relatedTarget, direction: direction }) // yes, "slid" + if ($.support.transition && this.$element.hasClass('slide')) { + $next.addClass(type) +- $next[0].offsetWidth // force reflow ++ if (typeof $next === 'object' && $next.length) { ++ $next[0].offsetWidth // force reflow ++ } + $active.addClass(direction) + $next.addClass(direction) + $active +@@ -206,10 +208,17 @@ + // ================= + + var clickHandler = function (e) { +- var href + var $this = $(this) +- var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7 ++ var href = $this.attr('href') ++ if (href) { ++ href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7 ++ } ++ ++ var target = $this.attr('data-target') || href ++ var $target = $(document).find(target) ++ + if (!$target.hasClass('carousel')) return ++ + var options = $.extend({}, $target.data(), $this.data()) + var slideIndex = $this.attr('data-slide-to') + if (slideIndex) options.interval = false +--- a/js/collapse.js ++++ b/js/collapse.js +@@ -2,7 +2,7 @@ + * Bootstrap: collapse.js v3.3.7 + * http://getbootstrap.com/javascript/#collapse + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -137,7 +137,7 @@ + } + + Collapse.prototype.getParent = function () { +- return $(this.options.parent) ++ return $(document).find(this.options.parent) + .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]') + .each($.proxy(function (i, element) { + var $element = $(element) +@@ -160,7 +160,7 @@ + var target = $trigger.attr('data-target') + || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7 + +- return $(target) ++ return $(document).find(target) + } + + +--- a/js/dropdown.js ++++ b/js/dropdown.js +@@ -2,7 +2,7 @@ + * Bootstrap: dropdown.js v3.3.7 + * http://getbootstrap.com/javascript/#dropdowns + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -19,7 +19,7 @@ + $(element).on('click.bs.dropdown', this.toggle) + } + +- Dropdown.VERSION = '3.3.7' ++ Dropdown.VERSION = '3.4.0' + + function getParent($this) { + var selector = $this.attr('data-target') +@@ -29,7 +29,7 @@ + selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7 + } + +- var $parent = selector && $(selector) ++ var $parent = selector && $(document).find(selector) + + return $parent && $parent.length ? $parent : $this.parent() + } +--- a/js/tab.js ++++ b/js/tab.js +@@ -2,7 +2,7 @@ + * Bootstrap: tab.js v3.3.7 + * http://getbootstrap.com/javascript/#tabs + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -48,7 +48,7 @@ + + if (showEvent.isDefaultPrevented() || hideEvent.isDefaultPrevented()) return + +- var $target = $(selector) ++ var $target = $(document).find(selector) + + this.activate($this.closest('li'), $ul) + this.activate($target, $target.parent(), function () { +--- a/js/tooltip.js ++++ b/js/tooltip.js +@@ -3,7 +3,7 @@ + * http://getbootstrap.com/javascript/#tooltip + * Inspired by the original jQuery.tipsy by Jason Frame + * ======================================================================== +- * Copyright 2011-2016 Twitter, Inc. ++ * Copyright 2011-2018 Twitter, Inc. + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * ======================================================================== */ + +@@ -51,7 +51,7 @@ + this.type = type + this.$element = $(element) + this.options = this.getOptions(options) +- this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) ++ this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) + this.inState = { click: false, hover: false, focus: false } + + if (this.$element[0] instanceof document.constructor && !this.options.selector) { +@@ -204,7 +204,7 @@ + .addClass(placement) + .data('bs.' + this.type, this) + +- this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element) ++ this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element) + this.$element.trigger('inserted.bs.' + this.type) + + var pos = this.getPosition() diff -Nru twitter-bootstrap3-3.3.7+dfsg/debian/patches/series twitter-bootstrap3-3.3.7+dfsg/debian/patches/series --- twitter-bootstrap3-3.3.7+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ twitter-bootstrap3-3.3.7+dfsg/debian/patches/series 2019-01-06 23:30:34.000000000 +0100 @@ -0,0 +1 @@ +fix-xss-vulnerabilities.patch