ckeditor - Debian Package Tracker

general

source: ckeditor (main)
version: 4.22.1+dfsg1-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucariès [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.11.1+dfsg-1
oldstable: 4.16.0+dfsg-2
stable: 4.19.1+dfsg-1
unstable: 4.22.1+dfsg1-2

versioned links

4.11.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.19.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.22.1+dfsg1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ckeditor (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 4.25.1-lts high

A new upstream version 4.25.1-lts is available, you should consider packaging it.

Created: 2023-08-25 Last update: 2025-06-18 22:00

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2022-07-18 Last update: 2025-06-12 09:32

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2024-24815: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
CVE-2024-24816: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
CVE-2024-43407: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.

Created: 2024-02-09 Last update: 2025-05-26 15:30

lintian reports 6 warnings high

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2025-04-10 09:30

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2024-24815: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
CVE-2024-24816: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
CVE-2024-43407: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.

Created: 2024-02-09 Last update: 2025-03-10 10:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2025-05-26 Last update: 2025-06-19 00:02

Depends on packages which need a new maintainer normal

The packages that ckeditor depends on which need a new maintainer are:

closure-compiler (#1008632)
- Build-Depends: closure-compiler

Created: 2022-03-29 Last update: 2025-06-18 23:00

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-28439: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.
CVE-2024-24815: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
CVE-2024-43407: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2024-24816: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

Created: 2023-06-10 Last update: 2025-05-26 15:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-02-27 13:25

testing migrations

excuses:
- Migration status for ckeditor (- to 4.22.1+dfsg1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating ckeditor would introduce bugs in testing: #1102677
- ∙ ∙ blocked by freeze: is not in testing
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/ckeditor.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Reproducible on armhf - info ♻
- ∙ ∙ 688 days old (needed 20 days)
- Not considered

news

[rss feed]

[2025-05-27] ckeditor REMOVED from testing (Debian testing watch)
[2023-08-06] ckeditor 4.22.1+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2023-08-01] Accepted ckeditor 4.22.1+dfsg1-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-07-31] Accepted ckeditor 4.22.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2022-08-02] ckeditor 4.19.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-07-28] Accepted ckeditor 4.19.1+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-07-22] ckeditor 4.19.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-07-16] Accepted ckeditor 4.19.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-08] Accepted ckeditor 4.5.7+dfsg-2+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
[2021-08-23] ckeditor 4.16.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-08-17] Accepted ckeditor 4.16.2+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-16] ckeditor 4.16.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-06-11] Accepted ckeditor 4.16.0+dfsg-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-12] ckeditor 4.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-03-07] Accepted ckeditor 4.16.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2019-09-12] ckeditor 4.12.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-09-03] Accepted ckeditor 4.12.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-17] ckeditor 4.11.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-14] Accepted ckeditor 4.11.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-04] ckeditor 4.10.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-30] Accepted ckeditor 4.10.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-08-12] ckeditor 4.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-06] Accepted ckeditor 4.10.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-24] ckeditor 4.9.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-06-19] Accepted ckeditor 4.9.2+dfsg-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-17] ckeditor 4.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-06-12] Accepted ckeditor 4.9.2+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-09] ckeditor 4.5.7+dfsg-3 MIGRATED to testing (Debian testing watch)
[2018-06-04] Accepted ckeditor 4.5.7+dfsg-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2016-03-15] Accepted ckeditor 4.5.7+dfsg-2~bpo8+1 (source all) into jessie-backports, jessie-backports (Dmitry Smirnov)

bugs [bug history graph]

all: 3
RC: 1
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 6)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.22.1+dfsg1-2ubuntu1
1 bug
patches for 4.22.1+dfsg1-2ubuntu1