Hi all,
On 12/05/2022 08:35, Mike Gabriel wrote:
On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote:
On 08/05/2022 21:17, Salvatore Bonaccorso wrote:
Now, php-horde-editor is the only rdepends of ckeditor3.
IMHO we need to do a re-evaluation of the current CVEs for ckeditor to
see which affect ckeditor3 as well and in partiular try to get a
picture how those known to affect ckeditor3 impact php-horde-editor.
Some might be for instance negligible in context of php-horde-editor
specifically.
Just an idea, and not necessarily right now already the security team
view: Depending on this outcome we might declare it as unsupported in
general, and only to be considered if an issue impacts
php-horde-editor.
This sounds good to me.
To get a clearer view, I associated ckeditor CVEs to ckeditor3,
excluding those that are clearly specific to v4 or v5, and marking them
<not-affected> when possible:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4
I think all vulnerabilities apply to ckeditor3 in the context of
php-horde-editor, as I didn't witness any particular limitation in the
way it's loaded.
A few of them can be fixed, most of them (as with ckeditor4) are too
unclear, and (unlike ckeditor4) we don't have the option to bump to a
new upstream release.
I believe we can either mark ckeditor3 as end-of-life, or maybe add it
to debian-security-support:security-support-limited (best effort), what
do you think?
Cheers!
Sylvain Beucler
Debian LTS Team