Am Thu, Apr 03, 2025 at 04:15:27PM +0200 schrieb Sylvain Beucler:
> Hello Security Team,
>
> I realized that ckeditor3 is not referenced in debian-security-support for
> bullseye nor for bookworm.
>
> It was for buster-lts and stretch-lts:
> https://lists.debian.org/debian-lts/2022/05/msg00060.html
> https://lists.debian.org/debian-lts/2022/08/msg00001.html
>
> (Ideally we could now drop ckeditor3 from bullseye & bookworm, since it's
> not used by php-horde-editor anymore, but sadly it's still a
> build-dependency of virtuoso-opensource, see above.)
>
> The issues are still present:
> - horde-specific
> - EOL'd upstream
> - open CVEs with no patches
>
> For clarity, do we want to add ckeditor3 to
> security-support-ended.deb11/12/13 ?
Let's add it to security-support-limited.deb12:
ckeditor3 Only present as a build dependency for virtuose, no updates will
be issued
Cheers,
Moritz
