Hi all, On 12/05/2022 08:35, Mike Gabriel wrote:
On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote:On 08/05/2022 21:17, Salvatore Bonaccorso wrote:Now, php-horde-editor is the only rdepends of ckeditor3. IMHO we need to do a re-evaluation of the current CVEs for ckeditor to see which affect ckeditor3 as well and in partiular try to get a picture how those known to affect ckeditor3 impact php-horde-editor. Some might be for instance negligible in context of php-horde-editor specifically. Just an idea, and not necessarily right now already the security team view: Depending on this outcome we might declare it as unsupported in general, and only to be considered if an issue impacts php-horde-editor.This sounds good to me.
To get a clearer view, I associated ckeditor CVEs to ckeditor3, excluding those that are clearly specific to v4 or v5, and marking them <not-affected> when possible:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4I think all vulnerabilities apply to ckeditor3 in the context of php-horde-editor, as I didn't witness any particular limitation in the way it's loaded.
A few of them can be fixed, most of them (as with ckeditor4) are too unclear, and (unlike ckeditor4) we don't have the option to bump to a new upstream release.
I believe we can either mark ckeditor3 as end-of-life, or maybe add it to debian-security-support:security-support-limited (best effort), what do you think?
Cheers! Sylvain Beucler Debian LTS Team