Hi,
Any opinion on this? :)
On 20/11/2024 09:03, Sylvain Beucler wrote:
twitter-bootstrap3&4 have been sitting for a while in the FD and dla/
ela-needed queues.
Context:
- EOL'd
https://getbootstrap.com/docs/4.6/end-of-life/
"Bootstrap 3 reached end of life July 24, 2019, followed by Bootstrap 4
on January 1, 2023."
- Affected by CVE-2024-6484, CVE-2024-6485, CVE-2024-6531
(affecting 3.x or 4.x, but not 5.x/current)
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6484
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6485
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6531
- Support and fixes are officially available through HeroDevs:
"for those who can’t upgrade just yet and have compliance or security
requirements, we’re introducing Never-Ending Support for Bootstrap 3 and
4 with HeroDevs."
https://www.herodevs.com/support/nes-bootstrap
AFAICS this is non-free and private.
- Other distros don't seem to consider these CVEs.
This is triaged in bookworm with:
<postponed> (Minor issue, revisit when fixed upstream)
but this has much likely no chances to happen, because EOL'd.
Do we want to reach out to HeroDevs?
Do we want to EOL these packages?
Do we want to try and fix this ourselves?
Cheers!
Sylvain
(FD this week)
