ckeditor - Debian Package Tracker

general

source: ckeditor (main)
version: 4.16.2+dfsg-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Dmitry Smirnov [DMD] – Bastien Roucariès [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.5.7+dfsg-2
o-o-sec: 4.5.7+dfsg-2+deb9u1
oldstable: 4.11.1+dfsg-1
stable: 4.16.0+dfsg-2
testing: 4.16.2+dfsg-1
unstable: 4.16.2+dfsg-1

versioned links

4.5.7+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.5.7+dfsg-2+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ckeditor

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/ckeditor/ckeditor-dev/releases (?:.*/)?v?(\d[\d\.]*)\.tar\.gz

Created: 2021-10-24 Last update: 2022-05-26 16:31

8 security issues in stretch high

There are 8 open security issues in stretch.

2 important issues:

CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

5 issues postponed or untriaged:

CVE-2021-26271: (postponed; to be fixed through a stable update) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-26272: (postponed; to be fixed through a stable update) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41164: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

1 ignored issue:

CVE-2018-17960: CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.

Created: 2022-03-24 Last update: 2022-05-02 21:00

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2021-21391: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-41164: CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Created: 2021-07-05 Last update: 2022-05-02 21:00

10 security issues in buster high

There are 10 open security issues in buster.

2 important issues:

CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

8 issues left for the package maintainer to handle:

CVE-2021-21391: (needs triaging) CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-26271: (needs triaging) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-26272: (needs triaging) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-33829: (needs triaging) A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41164: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-05-02 21:00

8 security issues in bullseye high

There are 8 open security issues in bullseye.

2 important issues:

CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

6 issues left for the package maintainer to handle:

CVE-2021-21391: (needs triaging) CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-32808: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41164: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-13 Last update: 2022-05-02 21:00

5 security issues in bookworm high

There are 5 open security issues in bookworm.

5 important issues:

CVE-2021-21391: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-41164: CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Created: 2021-08-15 Last update: 2022-05-02 21:00

lintian reports 1 warning high

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-10-13 21:31

Depends on packages which need a new maintainer normal

The packages that ckeditor depends on which need a new maintainer are:

closure-compiler (#1008632)
- Build-Depends: closure-compiler

Created: 2022-03-29 Last update: 2022-05-26 17:03

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit cc6e66f091b1327cf8fcd571e741db0804e720f7
Author: Yadd <yadd@debian.org>
Date:   Sun Nov 21 15:23:33 2021 +0100

    Fix debian/watch: use /tags instead of /releases

commit c9110ff13f7618e26eb126a0969a9e9acd05faaf
Author: Yadd <yadd@debian.org>
Date:   Fri Nov 5 03:33:39 2021 +0100

    Update standards version to 4.6.0, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

Created: 2021-11-05 Last update: 2022-05-23 05:38

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-11 23:24

news

[rss feed]

[2021-11-08] Accepted ckeditor 4.5.7+dfsg-2+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2021-08-23] ckeditor 4.16.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-08-17] Accepted ckeditor 4.16.2+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-16] ckeditor 4.16.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-06-11] Accepted ckeditor 4.16.0+dfsg-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-12] ckeditor 4.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-03-07] Accepted ckeditor 4.16.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2019-09-12] ckeditor 4.12.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-09-03] Accepted ckeditor 4.12.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-17] ckeditor 4.11.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-14] Accepted ckeditor 4.11.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-04] ckeditor 4.10.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-30] Accepted ckeditor 4.10.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-08-12] ckeditor 4.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-06] Accepted ckeditor 4.10.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-24] ckeditor 4.9.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-06-19] Accepted ckeditor 4.9.2+dfsg-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-17] ckeditor 4.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-06-12] Accepted ckeditor 4.9.2+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-09] ckeditor 4.5.7+dfsg-3 MIGRATED to testing (Debian testing watch)
[2018-06-04] Accepted ckeditor 4.5.7+dfsg-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2016-03-15] Accepted ckeditor 4.5.7+dfsg-2~bpo8+1 (source all) into jessie-backports, jessie-backports (Dmitry Smirnov)
[2016-02-18] ckeditor 4.5.7+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-02-13] Accepted ckeditor 4.5.7+dfsg-2 (source all) into unstable (Dmitry Smirnov)
[2016-02-12] Accepted ckeditor 4.5.7+dfsg-1 (source all) into unstable (Dmitry Smirnov)
[2016-02-10] Accepted ckeditor 4.5.6+dfsg-1 (source all) into unstable (Dmitry Smirnov)
[2014-11-17] ckeditor 4.4.4+dfsg1-3 MIGRATED to testing (Britney)
[2014-11-11] Accepted ckeditor 4.4.4+dfsg1-3 (source all) into unstable (Bastien Roucariès) (signed by: Mathieu Parent)
[2014-10-28] ckeditor 4.4.4+dfsg1-2 MIGRATED to testing (Britney)
[2014-10-25] Accepted ckeditor 4.4.4+dfsg1-2 (source all) into unstable (Bastien Roucariès) (signed by: Mathieu Parent)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.16.2+dfsg-1
1 bug