[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for ckeditor3 in Debian

Hi Sylvain,

On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
> I'm currently checking 'ckeditor' (v4), an HTML editor for web applications,
> currently v4), for vulnerabilities to fix.
> (I may send a separate e-mail about this later)
> I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016)
> did not reference any vulnerabilities. A quick check showed that it contains
> vulnerable code for at least CVE-2021-33829 and CVE-2021-37695.
> https://security-tracker.debian.org/tracker/source-package/ckeditor3
> Do you think we should we tag 'ckeditor3' with confirmed CVEs from
> 'ckeditor'? Or mark it as end-of-life?

Thanks for spotting this.

Do we know something about php-horde-editor's compatibility with
ckeditor version 4? I assume it's still incompatible and we either
would need to use the embedded copy or ckeditor3 in the archive.
There as only one upstream version following the introduction of

Now, php-horde-editor is the only rdepends of ckeditor3.

IMHO we need to do a re-evaluation of the current CVEs for ckeditor to
see which affect ckeditor3 as well and in partiular try to get a
picture how those known to affect ckeditor3 impact php-horde-editor.
Some might be for instance negligible in context of php-horde-editor

Just an idea, and not necessarily right now already the security team
view: Depending on this outcome we might declare it as unsupported in
general, and only to be considered if an issue impacts

And I wonder if it should be a goal to try to get rid of ckeditor3
again for the bookworm release, which we still would be in time.
Removing does not seem to be feasible right now, as the php-horde
framework depends with the php-horde-core, php-horde-imp and
php-horde-gollem in some form from the editor.

Inputs, Ideas?


Reply to: