Hi all, On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote: > Hello Salvatore, > > On 08/05/2022 21:17, Salvatore Bonaccorso wrote: > > On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote: > > > Hello Security Team, > > > > > > I'm currently checking 'ckeditor' (v4), an HTML editor for web applications, > > > currently v4), for vulnerabilities to fix. > > > (I may send a separate e-mail about this later) > > > > > > I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016) > > > did not reference any vulnerabilities. A quick check showed that it contains > > > vulnerable code for at least CVE-2021-33829 and CVE-2021-37695. > > > https://security-tracker.debian.org/tracker/source-package/ckeditor3 > > > > > > Do you think we should we tag 'ckeditor3' with confirmed CVEs from > > > 'ckeditor'? Or mark it as end-of-life? > > > > Thanks for spotting this. > > > > Do we know something about php-horde-editor's compatibility with > > ckeditor version 4? I assume it's still incompatible and we either > > would need to use the embedded copy or ckeditor3 in the archive. > > There as only one upstream version following the introduction of > > ckeditor3. > > It seems the situation didn't change. Technically, the situation hasn't change. ckeditor3 works very well in Horde, whereas API changes in ckeditor4 block a direct replace of ckeditor3. That is the main reason why I reintroduced removed ckeditor3 in 2020. At the same time, I noted in d/changelog, that the reintroduction of ckeditor3 was supposed to be an interim solution. We are still, well..., in the interim, at the moment. Sorry for no progress on this part. Horde upstream is normally quite active regarding maintenance support and Horde normally receives CVE fixes very promptly. However, the ckeditor3 is not on the Horde devs' radar, I assume. At the same time, there is currently no heavy development going on in the Horde project, so a port of php-horde-editor to ckeditor4 (or later) does not have any ETA. > php-horde-editor used to depend on ckeditor4 in jessie but this caused > issues and was reverted to ckeditor3: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769031 Indeed. > AFAICS upstream is still using 3.6.6: > https://github.com/horde/Editor/tree/master/js/ckeditor Yep. > > Now, php-horde-editor is the only rdepends of ckeditor3. > > > > IMHO we need to do a re-evaluation of the current CVEs for ckeditor to > > see which affect ckeditor3 as well and in partiular try to get a > > picture how those known to affect ckeditor3 impact php-horde-editor. > > Some might be for instance negligible in context of php-horde-editor > > specifically. > > > > Just an idea, and not necessarily right now already the security team > > view: Depending on this outcome we might declare it as unsupported in > > general, and only to be considered if an issue impacts > > php-horde-editor. This sounds good to me. > > And I wonder if it should be a goal to try to get rid of ckeditor3 > > again for the bookworm release, which we still would be in time. > > Removing does not seem to be feasible right now, as the php-horde > > framework depends with the php-horde-core, php-horde-imp and > > php-horde-gollem in some form from the editor. Removing php-horde-editor/ckeditor3 would remove the WYSIWYG editor from Horde's webmailer (which people around me use and like). I will make Horde upstream aware of this thread and discuss with them how doable a ckeditor4 (or later) would be. > > Inputs, Ideas? > > This sounds sensible to me, but since I'm no Horde expert I'm adding Mike > and Juri in Cc so they can provide their thoughts on a way forward. Please also note, that Horde still needs love regarding the PHP8 transition. I have this on my radar and will get this resolved over the summer. Currently, due to paid work, my system shows ENOTIME for this. Thanks for bringing up this topic, Mike -- DAS-NETZWERKTEAM Mike Gabriel, Herweg 7, 24357 Fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x9AF46B3025771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
signature.asc
Description: PGP signature