ckeditor - Debian Package Tracker

general

source: ckeditor (main)
version: 4.16.2+dfsg-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Dmitry Smirnov [DMD] – Bastien Roucariès [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.5.7+dfsg-2
oldstable: 4.11.1+dfsg-1
stable: 4.16.0+dfsg-2
testing: 4.16.2+dfsg-1
unstable: 4.16.2+dfsg-1

versioned links

4.5.7+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.16.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ckeditor

action needed

lintian reports 4 errors and 3 warnings high

Lintian reports 4 errors and 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-09-06 Last update: 2021-09-06 18:31

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2021-21391: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

Created: 2021-07-05 Last update: 2021-08-29 19:35

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2021-21391: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.

Created: 2021-08-15 Last update: 2021-08-29 19:35

6 low-priority security issues in buster low

There are 6 open security issues in buster.

6 issues left for the package maintainer to handle:

CVE-2021-21391: (needs triaging) CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-26271: (needs triaging) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-26272: (needs triaging) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-33829: (needs triaging) A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-08-29 19:35

4 low-priority security issues in bullseye low

There are 4 open security issues in bullseye.

4 issues left for the package maintainer to handle:

CVE-2021-21391: (needs triaging) CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has been discovered in multiple CKEditor 5 packages. The vulnerability allowed to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 packages listed above at version <= 26.0.0. The problem has been recognized and patched. The fix will be available in version 27.0.0.
CVE-2021-32808: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-32809: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-08-13 Last update: 2021-08-29 19:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.1).

Created: 2021-08-18 Last update: 2021-08-18 14:02

news

[rss feed]

[2021-08-23] ckeditor 4.16.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-08-17] Accepted ckeditor 4.16.2+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-06-16] ckeditor 4.16.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-06-11] Accepted ckeditor 4.16.0+dfsg-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-12] ckeditor 4.16.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-03-07] Accepted ckeditor 4.16.0+dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2019-09-12] ckeditor 4.12.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-09-03] Accepted ckeditor 4.12.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-17] ckeditor 4.11.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-11-14] Accepted ckeditor 4.11.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-11-04] ckeditor 4.10.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-10-30] Accepted ckeditor 4.10.1+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-08-12] ckeditor 4.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-08-06] Accepted ckeditor 4.10.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-24] ckeditor 4.9.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-06-19] Accepted ckeditor 4.9.2+dfsg-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-17] ckeditor 4.9.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-06-12] Accepted ckeditor 4.9.2+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2018-06-09] ckeditor 4.5.7+dfsg-3 MIGRATED to testing (Debian testing watch)
[2018-06-04] Accepted ckeditor 4.5.7+dfsg-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2016-03-15] Accepted ckeditor 4.5.7+dfsg-2~bpo8+1 (source all) into jessie-backports, jessie-backports (Dmitry Smirnov)
[2016-02-18] ckeditor 4.5.7+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-02-13] Accepted ckeditor 4.5.7+dfsg-2 (source all) into unstable (Dmitry Smirnov)
[2016-02-12] Accepted ckeditor 4.5.7+dfsg-1 (source all) into unstable (Dmitry Smirnov)
[2016-02-10] Accepted ckeditor 4.5.6+dfsg-1 (source all) into unstable (Dmitry Smirnov)
[2014-11-17] ckeditor 4.4.4+dfsg1-3 MIGRATED to testing (Britney)
[2014-11-11] Accepted ckeditor 4.4.4+dfsg1-3 (source all) into unstable (Bastien Roucariès) (signed by: Mathieu Parent)
[2014-10-28] ckeditor 4.4.4+dfsg1-2 MIGRATED to testing (Britney)
[2014-10-25] Accepted ckeditor 4.4.4+dfsg1-2 (source all) into unstable (Bastien Roucariès) (signed by: Mathieu Parent)
[2014-09-16] ckeditor 4.4.4+dfsg1-1 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 0

links

homepage
lintian (4, 3)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.16.0+dfsg-2
1 bug