Hello Security Team,
On 21/03/2025 22:53, Sylvain Beucler wrote:
On 12/08/2024 02:27, Mike Gabriel wrote:
On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote:
On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote:
El 31/05/22 a las 05:42, Mike Gabriel escribió:
> On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote:
> > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore
Bonaccorso:
> > > While this is discouraged in general, we could opt here for
this, to
> > > avoid that ckeditor3 might get additional users outside of
> > > php-horde-editor.
> >
> > This would also mean that only those bits of ckeditor3 which are
actually
> > used by Horde need to be updated.
> >
> > Cheers,
> > Moritz
>
> I read that embedding is ok with the security team for the
exceptional case
> php-horde-editor. I will put this on my todo list for the next
Horde update
> round (which is already overdue).
>
> Mike
Hello Mike,
AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then,
so I guess the situation is the same than when buster was becoming LTS.
I wonder if there is any action that could be made for bullseye and
bookworm. Is there a way to limit the ckeditor3 security support to
only cover the usage with php-horde-editor?
Horde is pretty much unmaintained. php-horde-mime-viewer and php-
horde-turba
are in dsa-needed.txt for a long time, but pings were never replied
to either.
It seems best to drop Horde (and ckeditor3 alongside) from testing.
Cheers,
Moritz
I will take a look at this the coming week or the week after (when I
will have plenty of time for Debian stuff).
[snip!]
Regarding the nearly-non-maintenance state of Horde: Horde hasn't been
ported to PHP 8, yet. One of the upstream devs is working on that, but
there are not official releases, yet. I will ping them about the
current status.
- We're working on a ckeditor3->ckeditor[v4] upgrade for php-horde-*,
which will allow dropping ckeditor3.
https://lists.debian.org/debian-lts/2025/03/msg00011.html
- However,
> to avoid that ckeditor3 might get additional users outside of
> php-horde-editor.
it appears that was already the case, as virtuoso-opensource has a
*build*-dependency on ckeditor3 (says dak).
I contacted the maintainers with https://bugs.debian.org/1101019 .
I realized that ckeditor3 is not referenced in debian-security-support
for bullseye nor for bookworm.
It was for buster-lts and stretch-lts:
https://lists.debian.org/debian-lts/2022/05/msg00060.html
https://lists.debian.org/debian-lts/2022/08/msg00001.html
(Ideally we could now drop ckeditor3 from bullseye & bookworm, since
it's not used by php-horde-editor anymore, but sadly it's still a
build-dependency of virtuoso-opensource, see above.)
The issues are still present:
- horde-specific
- EOL'd upstream
- open CVEs with no patches
For clarity, do we want to add ckeditor3 to
security-support-ended.deb11/12/13 ?
Cheers!
Sylvain Beucler
Debian LTS Team
