Hi,
On 21/05/2022 12:06, Sylvain Beucler wrote:
On 21/05/2022 10:45, Mike Gabriel wrote:
as I have a company interest in Horde and thus in ckeditor3, I'd be
happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in
unstable needs the same love as in LTS. And we are currently working
on upgrading the company mailserver.
The extra funding from DAS-NETZWETKTEAM could either be directly
invoiced to me by the LTS contributor or funding could be piped
through Freexian if they can go with that and see that as a requirement.
So, ping@Raphael? I have something like 4-6 hours in mind. What is
your preferred way of handling individual package funding such as
described above.
Given that ckeditor is pretty opaque about their security fixes, I
personally wouldn't know how to identify fixes to ckeditor3 and
ckeditor(4) as shipped in Debian. (Actually I was asked to clarify
ckeditor3's situation so we don't offer to support a package that is
really unsupportable.)
Status:
https://security-tracker.debian.org/tracker/source-package/ckeditor
https://security-tracker.debian.org/tracker/source-package/ckeditor3
Maybe one way forward would be to upgrade ckeditor in upstream Horde,
bump all ckeditor(4) to the currently maintained 4.x in all Debian
dists, and fund this through e.g.
https://freexian-team.pages.debian.net/project-funding/
(with security team's OK of course)
Unless there are other ideas on how to maintain horde/ckeditor3 as-is.
To recap:
- CKEditor's security announcements are too vague to identify the
vulnerabilities and their fixes,
- CKEditor4.x is maintained upstream,
- CKEditor3.x isn't,
- Upgrading to CKEditor4 breaks php-horde-editor and php-horde-imp's API
calls and specific plugins
- Horde's usage of CKEditor3 is standard and all the vulnerabilities are
relevant in this context.
Consequently I propose ckeditor3 be end-of-life for stretch.
I plan to prepare a pull request for debian-security-support next week.
Cheers!
Sylvain Beucler
Debian LTS Team
