Support for ckeditor3 in Debian

To: Debian Security Team <team@security.debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Support for ckeditor3 in Debian
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 6 May 2022 21:23:27 +0200
Message-id: <[🔎] cb270bc4-8dd7-c5e0-29d2-0cf62d438829@beuc.net>

Hello Security Team,

I'm currently checking 'ckeditor' (v4), an HTML editor for webapplications, currently v4), for vulnerabilities to fix.

(I may send a separate e-mail about this later)

I noted that 'ckeditor3' (re-introduced as a dependency to horde in2016) did not reference any vulnerabilities. A quick check showed thatit contains vulnerable code for at least CVE-2021-33829 and CVE-2021-37695.

https://security-tracker.debian.org/tracker/source-package/ckeditor3

Do you think we should we tag 'ckeditor3' with confirmed CVEs from'ckeditor'? Or mark it as end-of-life?


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: Support for ckeditor3 in Debian
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Lintian errors on ffmpeg
Next by Date: Re: Support for ckeditor3 in Debian
Previous by thread: Re: Urgency for uploads
Next by thread: Re: Support for ckeditor3 in Debian
Index(es):
- Date
- Thread