ckeditor3 - Debian Package Tracker

general

source: ckeditor3 (main)
version: 3.6.6.1+dfsg-7
maintainer: Horde Maintainers (DMD)
uploaders: Mike Gabriel [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.6.6.1+dfsg-1
oldstable: 3.6.6.1+dfsg-3
stable: 3.6.6.1+dfsg-7
testing: 3.6.6.1+dfsg-7
unstable: 3.6.6.1+dfsg-7

versioned links

3.6.6.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6.1+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.6.1+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ckeditor3

action needed

8 security issues in sid high

There are 8 open security issues in sid.

8 important issues:

CVE-2014-5191: Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-17960: CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2021-26271: It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-37695: ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Created: 2022-07-04 Last update: 2022-09-05 12:55

8 security issues in bookworm high

There are 8 open security issues in bookworm.

8 important issues:

CVE-2014-5191: Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-17960: CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2021-26271: It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-33829: A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-37695: ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41165: CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Created: 2022-07-04 Last update: 2022-09-05 12:55

lintian reports 195 errors and 14 warnings high

Lintian reports 195 errors and 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-08-22 Last update: 2022-07-30 12:12

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

ckeditor3 could be marked Multi-Arch: foreign

Created: 2020-07-15 Last update: 2023-03-20 21:42

8 low-priority security issues in bullseye low

There are 8 open security issues in bullseye.

8 issues left for the package maintainer to handle:

CVE-2014-5191: (needs triaging) Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-17960: (needs triaging) CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2021-26271: (needs triaging) It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
CVE-2021-33829: (needs triaging) A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.
CVE-2021-37695: (needs triaging) ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.
CVE-2021-41165: (needs triaging) CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
CVE-2022-24728: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.
CVE-2022-24729: (needs triaging) CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2022-09-05 12:55

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.5.0).

Created: 2020-11-17 Last update: 2022-12-17 19:17

news

[rss feed]

[2020-07-22] ckeditor3 3.6.6.1+dfsg-7 MIGRATED to testing (Debian testing watch)
[2020-07-16] Accepted ckeditor3 3.6.6.1+dfsg-7 (source) into unstable (Mike Gabriel)
[2020-07-15] Accepted ckeditor3 3.6.6.1+dfsg-6 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Mike Gabriel)
[2020-05-01] ckeditor3 REMOVED from testing (Debian testing watch)
[2020-04-29] Removed 3.6.6.1+dfsg-4 from unstable (Debian FTP Masters)
[2019-10-25] ckeditor3 3.6.6.1+dfsg-4 MIGRATED to testing (Debian testing watch)
[2019-10-20] Accepted ckeditor3 3.6.6.1+dfsg-4 (source) into unstable (Mathieu Parent)
[2018-05-22] ckeditor3 3.6.6.1+dfsg-3 MIGRATED to testing (Debian testing watch)
[2018-05-17] Accepted ckeditor3 3.6.6.1+dfsg-3 (source all) into unstable (Mathieu Parent)
[2018-04-11] ckeditor3 3.6.6.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-04-10] ckeditor3 3.6.6.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2018-04-05] Accepted ckeditor3 3.6.6.1+dfsg-2 (source all) into unstable (Mathieu Parent)
[2017-01-02] ckeditor3 3.6.6.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-12-22] Accepted ckeditor3 3.6.6.1+dfsg-1 (source all) into unstable, unstable (Sophie Brun) (signed by: Raphaël Hertzog)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (195, 14)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.6.6.1+dfsg-7