Hi all, On Sa 21 Mai 2022 10:25:35 CEST, Sylvain Beucler wrote:
Hi all, On 12/05/2022 08:35, Mike Gabriel wrote:On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote:On 08/05/2022 21:17, Salvatore Bonaccorso wrote:Now, php-horde-editor is the only rdepends of ckeditor3. IMHO we need to do a re-evaluation of the current CVEs for ckeditor to see which affect ckeditor3 as well and in partiular try to get a picture how those known to affect ckeditor3 impact php-horde-editor. Some might be for instance negligible in context of php-horde-editor specifically. Just an idea, and not necessarily right now already the security team view: Depending on this outcome we might declare it as unsupported in general, and only to be considered if an issue impacts php-horde-editor.This sounds good to me.To get a clearer view, I associated ckeditor CVEs to ckeditor3, excluding those that are clearly specific to v4 or v5, and marking them <not-affected> when possible:https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4I think all vulnerabilities apply to ckeditor3 in the context of php-horde-editor, as I didn't witness any particular limitation in the way it's loaded.A few of them can be fixed, most of them (as with ckeditor4) are too unclear, and (unlike ckeditor4) we don't have the option to bump to a new upstream release.I believe we can either mark ckeditor3 as end-of-life, or maybe add it to debian-security-support:security-support-limited (best effort), what do you think?Cheers! Sylvain Beucler Debian LTS Team
as I have a company interest in Horde and thus in ckeditor3, I'd be happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in unstable needs the same love as in LTS. And we are currently working on upgrading the company mailserver.
The extra funding from DAS-NETZWETKTEAM could either be directly invoiced to me by the LTS contributor or funding could be piped through Freexian if they can go with that and see that as a requirement.
So, ping@Raphael? I have something like 4-6 hours in mind. What is your preferred way of handling individual package funding such as described above.
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgph6YNGnP13i.pgp
Description: Digitale PGP-Signatur