Re: twitter-bootstrap3/4 support

Thu, 05 Dec 2024 09:40:10 -0800 

Hi!

El 05/12/24 a las 18:10, Sylvain Beucler escribió:
> Hi,
> 
> Any opinion on this? :)

Thanks for this ping, Sylvain.

I thought I had mentioned somewhere than Daniel Baumann showed some
interests in working on those CVEs, but that was some time ago. I
ping'ed him 15 days ago, and I am pinging him again. Without answer, I
will consider contacting herodevs.

On a related topic, I filed bugs for all the packages (build-)depending
on twitter-bootstrap3 and twitter-bootstrap4:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=bootstrap-v5-migration;users=debian-lts@lists.debian.org

Cheers,

> On 20/11/2024 09:03, Sylvain Beucler wrote:
> > twitter-bootstrap3&4 have been sitting for a while in the FD and dla/
> > ela-needed queues.
> > 
> > Context:
> > 
> > - EOL'd
> > https://getbootstrap.com/docs/4.6/end-of-life/
> > "Bootstrap 3 reached end of life July 24, 2019, followed by Bootstrap 4
> > on January 1, 2023."
> > 
> > - Affected by CVE-2024-6484, CVE-2024-6485, CVE-2024-6531
> >    (affecting 3.x or 4.x, but not 5.x/current)
> > https://deb.freexian.com/extended-lts/tracker/CVE-2024-6484
> > https://deb.freexian.com/extended-lts/tracker/CVE-2024-6485
> > https://deb.freexian.com/extended-lts/tracker/CVE-2024-6531
> > 
> > - Support and fixes are officially available through HeroDevs:
> > "for those who can’t upgrade just yet and have compliance or security
> > requirements, we’re introducing Never-Ending Support for Bootstrap 3 and
> > 4 with HeroDevs."
> > https://www.herodevs.com/support/nes-bootstrap
> > AFAICS this is non-free and private.
> > 
> > - Other distros don't seem to consider these CVEs.
> > 
> > This is triaged in bookworm with:
> >    <postponed> (Minor issue, revisit when fixed upstream)
> > but this has much likely no chances to happen, because EOL'd.
> > 
> > Do we want to reach out to HeroDevs?
> > Do we want to EOL these packages?
> > Do we want to try and fix this ourselves?
> > 
> > Cheers!
> > Sylvain
> > (FD this week)

-- 
Santiago Ruano Rincón ◈ Freexian SARL
https://www.freexian.com

Attachment: signature.asc
Description: PGP signature

Reply via email to