Hello Security Team,
I'm currently checking 'ckeditor' (v4), an HTML editor for web
applications, currently v4), for vulnerabilities to fix.
(I may send a separate e-mail about this later)
I noted that 'ckeditor3' (re-introduced as a dependency to horde in
2016) did not reference any vulnerabilities. A quick check showed that
it contains vulnerable code for at least CVE-2021-33829 and CVE-2021-37695.
https://security-tracker.debian.org/tracker/source-package/ckeditor3
Do you think we should we tag 'ckeditor3' with confirmed CVEs from
'ckeditor'? Or mark it as end-of-life?
Cheers!
Sylvain Beucler
Debian LTS Team
