Your message dated Fri, 11 Apr 2025 13:36:54 +0000
with message-id <[email protected]>
and subject line Bug#1101984: Removed package(s) from unstable
has caused the Debian Bug report #1015217,
regarding ckeditor3: CVE-2014-5191 CVE-2018-17960 CVE-2021-26271 CVE-2021-33829
CVE-2021-37695 CVE-2021-41165 CVE-2022-24728 CVE-2022-24729
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1015217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015217
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ckeditor3
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for ckeditor4, but it
needs to be checked to which extent ckeditor3 is affected and the
patches in question backported.
CVE-2014-5191[0]:
| Cross-site scripting (XSS) vulnerability in the Preview plugin before
| 4.4.3 in CKEditor allows remote attackers to inject arbitrary web
| script or HTML via unspecified vectors.
https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706
(v3.6.x)
https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a
(v4.4.3)
CVE-2018-17960[1]:
| CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a
| source-mode paste.
CVE-2021-26271[2]:
| It was possible to execute a ReDoS-type attack inside CKEditor 4
| before 4.16 by persuading a victim to paste crafted text into the
| Styles input of specific dialogs (in the Advanced Tab for Dialogs
| plugin).
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
CVE-2021-33829[3]:
| A cross-site scripting (XSS) vulnerability in the HTML Data Processor
| in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote
| attackers to inject executable JavaScript code through a crafted
| comment because --!> is mishandled.
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed
CVE-2021-37695[4]:
| ckeditor is an open source WYSIWYG HTML editor with rich content
| support. A potential vulnerability has been discovered in CKEditor 4
| [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package.
| The vulnerability allowed to inject malformed Fake Objects HTML, which
| could result in executing JavaScript code. It affects all users using
| the CKEditor 4 plugins listed above at version < 4.16.2. The
| problem has been recognized and patched. The fix will be available in
| version 4.16.2.
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
CVE-2021-41165[5]:
| CKEditor4 is an open source WYSIWYG HTML editor. In affected version a
| vulnerability has been discovered in the core HTML processing module
| and may affect all plugins used by CKEditor 4. The vulnerability
| allowed to inject malformed comments HTML bypassing content
| sanitization, which could result in executing JavaScript code. It
| affects all users using the CKEditor 4 at version < 4.17.0. The
| problem has been recognized and patched. The fix will be available in
| version 4.17.0.
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
(v4.17.0)
CVE-2022-24728[6]:
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.
| A vulnerability has been discovered in the core HTML processing module
| and may affect all plugins used by CKEditor 4 prior to version 4.18.0.
| The vulnerability allows someone to inject malformed HTML bypassing
| content sanitization, which could result in executing JavaScript code.
| This problem has been patched in version 4.18.0. There are currently
| no known workarounds.
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
(4.18.0)
CVE-2022-24729[7]:
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.
| CKEditor4 prior to version 4.18.0 contains a vulnerability in the
| `dialog` plugin. The vulnerability allows abuse of a dialog input
| validator regular expression, which can cause a significant
| performance drop resulting in a browser tab freeze. A patch is
| available in version 4.18.0. There are currently no known workarounds.
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-5191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5191
[1] https://security-tracker.debian.org/tracker/CVE-2018-17960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17960
[2] https://security-tracker.debian.org/tracker/CVE-2021-26271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26271
[3] https://security-tracker.debian.org/tracker/CVE-2021-33829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33829
[4] https://security-tracker.debian.org/tracker/CVE-2021-37695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37695
[5] https://security-tracker.debian.org/tracker/CVE-2021-41165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41165
[6] https://security-tracker.debian.org/tracker/CVE-2022-24728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24728
[7] https://security-tracker.debian.org/tracker/CVE-2022-24729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24729
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 3.6.6.1+dfsg-7+rm
Dear submitter,
as the package ckeditor3 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1101984
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Paul Tagliamonte (the ftpmaster behind the curtain)
--- End Message ---
