ckeditor - Debian Package Tracker

general

source: ckeditor (main)
version: 4.22.1+dfsg1-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucariès [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.11.1+dfsg-1
oldstable: 4.16.0+dfsg-2
stable: 4.19.1+dfsg-1
testing: 4.22.1+dfsg1-2
unstable: 4.22.1+dfsg1-2

versioned links

4.11.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.19.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.22.1+dfsg1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ckeditor

action needed

A new upstream version is available: 4.23.0-lts high

A new upstream version 4.23.0-lts is available, you should consider packaging it.

Created: 2023-08-25 Last update: 2023-10-02 18:33

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2022-07-18 Last update: 2023-09-24 17:08

lintian reports 5 warnings high

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2023-08-01 23:05

Depends on packages which need a new maintainer normal

The packages that ckeditor depends on which need a new maintainer are:

closure-compiler (#1008632)
- Build-Depends: closure-compiler

Created: 2022-03-29 Last update: 2023-10-02 15:33

8 low-priority security issues in bullseye low

There are 8 open security issues in bullseye.

8 issues left for the package maintainer to handle:

CVE-2021-32808: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41164: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.
CVE-2023-28439: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-08-06 06:12

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-28439: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-06-10 Last update: 2023-08-06 06:12

news

[rss feed]

[2023-08-06] ckeditor 4.22.1+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2023-08-01] Accepted ckeditor 4.22.1+dfsg1-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-07-31] Accepted ckeditor 4.22.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2022-08-02] ckeditor 4.19.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-07-28] Accepted ckeditor 4.19.1+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-07-22] ckeditor 4.19.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-07-16] Accepted ckeditor 4.19.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-08] Accepted ckeditor 4.5.7+dfsg-2+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2021-08-23] ckeditor 4.16.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-08-17] Accepted ckeditor 4.16.2+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-16] ckeditor 4.16.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-06-11] Accepted ckeditor 4.16.0+dfsg-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-12] ckeditor 4.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-03-07] Accepted ckeditor 4.16.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2019-09-12] ckeditor 4.12.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-09-03] Accepted ckeditor 4.12.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-17] ckeditor 4.11.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-14] Accepted ckeditor 4.11.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-04] ckeditor 4.10.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-30] Accepted ckeditor 4.10.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-08-12] ckeditor 4.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-06] Accepted ckeditor 4.10.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-24] ckeditor 4.9.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-06-19] Accepted ckeditor 4.9.2+dfsg-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-17] ckeditor 4.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-06-12] Accepted ckeditor 4.9.2+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-09] ckeditor 4.5.7+dfsg-3 MIGRATED to testing (Debian testing watch)
[2018-06-04] Accepted ckeditor 4.5.7+dfsg-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2016-03-15] Accepted ckeditor 4.5.7+dfsg-2~bpo8+1 (source all) into jessie-backports, jessie-backports (Dmitry Smirnov)
[2016-02-18] ckeditor 4.5.7+dfsg-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 5)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.22.1+dfsg1-2
1 bug