Re: [SECURITY] [DSA 1836-1] New fckeditor packages fix arbitrary code execution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1836-1] New fckeditor packages fix arbitrary code execution
From: Dominic Hargreaves <dom@earth.li>
Date: Mon, 20 Jul 2009 13:50:48 +0100
Message-id: <[🔎] 20090720125047.GF30065@urchin.earth.li>
In-reply-to: <20090716175539.GA5223@galadriel.inutil.org>
References: <20090716175539.GA5223@galadriel.inutil.org>

On Thu, Jul 16, 2009 at 07:55:39PM +0200, Moritz Muehlenhoff wrote:

> Vinny Guido discovered that multiple input sanitising vulnerabilities
> in Fckeditor, a rich text web editor component, may lead to the
> execution of arbitrary code.

For the record, request-tracker3.8 currently embeds a (customised)
version of fckeditor provided by RT upstream. However, I do not believe
it is vulnerable to this issue as the connectors are not supplied.

In addition, upstream in their next release plan to split out these
customisations - when they do, I should hopefully be able to revert
to the packaged version of the fckeditor.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Prev by Date: (Out of Office) Re: [SECURITY] [DSA 1839-1] New gst-plugins-good0.10 packages fix arbitrary code execution
Next by Date: Re: Debian bug 531341
Previous by thread: (Out of Office) Re: [SECURITY] [DSA 1839-1] New gst-plugins-good0.10 packages fix arbitrary code execution
Next by thread: Re: Debian bug 531341
Index(es):
- Date
- Thread