On Wed, Oct 21, 2015 at 8:54 PM, A.L.E.C <[email protected]> wrote: > On 10/18/2015 01:23 AM, Guilhem Moulin wrote: >> Completely unrelated, please note that the “1.1.3 — Dependent” tarball >> includes moxieplayer.swf, while the last mention of moxieplayer in your >> changelog says “TinyMCE security issue: removed moxieplayer (embedding >> flv and mp4 is not supported anymore)”. Was it re-added by mistake? >> (Anyway that file is violates the DFSG and will be removed from the >> upcoming 1.1.3 Debian packages.) > > The file was re-added with update to TinyMCE 4.x. I don't know if it's > still vulnerable, the file is in a newer version according to git. > > Thomas, do you remember what vulnerability it was?
Finally I found it. I just forwarded the original report to you. And here's a related commit which removed that file back in 2011: https://github.com/roundcube/roundcubemail/commit/d6284b4d22d1e According to this page http://cxsecurity.com/issue/WLB-2013070017 the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1. Cheer, Thomas _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
