Hi Sylvain, On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote: > Hello Security Team, > > I'm currently checking 'ckeditor' (v4), an HTML editor for web applications, > currently v4), for vulnerabilities to fix. > (I may send a separate e-mail about this later) > > I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016) > did not reference any vulnerabilities. A quick check showed that it contains > vulnerable code for at least CVE-2021-33829 and CVE-2021-37695. > https://security-tracker.debian.org/tracker/source-package/ckeditor3 > > Do you think we should we tag 'ckeditor3' with confirmed CVEs from > 'ckeditor'? Or mark it as end-of-life?
Thanks for spotting this. Do we know something about php-horde-editor's compatibility with ckeditor version 4? I assume it's still incompatible and we either would need to use the embedded copy or ckeditor3 in the archive. There as only one upstream version following the introduction of ckeditor3. Now, php-horde-editor is the only rdepends of ckeditor3. IMHO we need to do a re-evaluation of the current CVEs for ckeditor to see which affect ckeditor3 as well and in partiular try to get a picture how those known to affect ckeditor3 impact php-horde-editor. Some might be for instance negligible in context of php-horde-editor specifically. Just an idea, and not necessarily right now already the security team view: Depending on this outcome we might declare it as unsupported in general, and only to be considered if an issue impacts php-horde-editor. And I wonder if it should be a goal to try to get rid of ckeditor3 again for the bookworm release, which we still would be in time. Removing does not seem to be feasible right now, as the php-horde framework depends with the php-horde-core, php-horde-imp and php-horde-gollem in some form from the editor. Inputs, Ideas? Regards, Salvatore
