ckeditor4 security update

To: pkg-javascript-devel@lists.alioth.debian.org
Cc: yadd@debian.org, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: ckeditor4 security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 17 Jun 2022 17:27:32 +0200
Message-id: <[🔎] cfb733e9-94b7-fb7d-d47d-0b5ef2c5d5a8@beuc.net>

Hello,

I'm working on Debian LTS (stretch), and I saw there are a number ofCVEs against ckeditor (v4), as seen in #982587 #999909 and #992290-2,and I'm willing to provide some help on this package.

https://security-tracker.debian.org/tracker/source-package/ckeditor

AFAIU ckeditor upstream does not provide much information on fixes,making it hard if not impossible to backport targeted fixes.

However they maintain branch 4.x cleanly.

Thus it may make sense to upgrade to 4.18 (or later) in all Debiandists, including stable/oldstable (possibly in the next point release).

Does that sound doable and safe enough, or do you think there's too muchof a risk of breakage?


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Prev by Date: Re: pyjwt CVE-2022-29217 and stretch
Next by Date: RFR: openscad update
Previous by thread: Re: pyjwt CVE-2022-29217 and stretch
Next by thread: RFR: openscad update
Index(es):
- Date
- Thread