On 10/18/2015 01:23 AM, Guilhem Moulin wrote: > Completely unrelated, please note that the “1.1.3 — Dependent” tarball > includes moxieplayer.swf, while the last mention of moxieplayer in your > changelog says “TinyMCE security issue: removed moxieplayer (embedding > flv and mp4 is not supported anymore)”. Was it re-added by mistake? > (Anyway that file is violates the DFSG and will be removed from the > upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git. Thomas, do you remember what vulnerability it was? -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
