Debian Bug report logs -
#760736
ckeditor: CVE-2014-5191
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 7 Sep 2014 12:27:02 UTC
Severity: grave
Tags: security
Found in version ckeditor/4.3.5+dfsg1-1
Fixed in version ckeditor/4.4.4+dfsg1-1
Done: Bastien Roucariès <roucaries.bastien+debian@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#760736; Package ckeditor.
(Sun, 07 Sep 2014 12:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Frank Habermann <lordlamer@lordlamer.de>.
(Sun, 07 Sep 2014 12:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ckeditor
Severity: grave
Tags: security
Justification: user security hole
Please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5191
http://ckeditor.com/release/CKEditor-4.4.3
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#760736; Package ckeditor.
(Wed, 10 Sep 2014 16:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Wed, 10 Sep 2014 16:21:05 GMT) (full text, mbox, link).
Message #10 received at 760736@bugs.debian.org (full text, mbox, reply):
A new version is under mentors at:
http://mentors.debian.net/debian/pool/main/c/ckeditor/ckeditor_4.4.4+dfsg1-1.dsc
Stable is problematic. I could not made a patch:
- ckeditor under stable is only min.js (not sourced: S)
- I may with a lot of work create a sourcefull version from svn but it
will be massive surgery.
- I may delete the problematic plugin but package will be still
sourceless and it will loose some functionnality.
Bastien
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#760736; Package ckeditor.
(Wed, 10 Sep 2014 16:30:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Wed, 10 Sep 2014 16:30:10 GMT) (full text, mbox, link).
Message #15 received at 760736@bugs.debian.org (full text, mbox, reply):
control: tag -1 + pending
control: tag -1 + fixed-upstream.
BTW wheezie is affected too (not squeeze), code is identical than in
4.4. Could you update the security tracker.
Upstream fixed 3.6 here
http://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706
On Wed, Sep 10, 2014 at 6:18 PM, Bastien ROUCARIES
<roucaries.bastien@gmail.com> wrote:
> A new version is under mentors at:
> http://mentors.debian.net/debian/pool/main/c/ckeditor/ckeditor_4.4.4+dfsg1-1.dsc
>
> Stable is problematic. I could not made a patch:
> - ckeditor under stable is only min.js (not sourced: S)
> - I may with a lot of work create a sourcefull version from svn but it
> will be massive surgery.
> - I may delete the problematic plugin but package will be still
> sourceless and it will loose some functionnality.
>
> Bastien
Added tag(s) pending.
Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com>
to 760736-submit@bugs.debian.org.
(Wed, 10 Sep 2014 16:30:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frank Habermann <lordlamer@lordlamer.de>:
Bug#760736; Package ckeditor.
(Wed, 10 Sep 2014 17:06:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to Frank Habermann <lordlamer@lordlamer.de>.
(Wed, 10 Sep 2014 17:06:17 GMT) (full text, mbox, link).
Message #22 received at 760736@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 10, 2014 at 6:27 PM, Bastien ROUCARIES
<roucaries.bastien@gmail.com> wrote:
> control: tag -1 + pending
> control: tag -1 + fixed-upstream.
>
> BTW wheezie is affected too (not squeeze), code is identical than in
> 4.4. Could you update the security tracker.
Sorry stable version is one sub minor version before the problem so not affected
> Upstream fixed 3.6 here
> http://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706
>
> On Wed, Sep 10, 2014 at 6:18 PM, Bastien ROUCARIES
> <roucaries.bastien@gmail.com> wrote:
>> A new version is under mentors at:
>> http://mentors.debian.net/debian/pool/main/c/ckeditor/ckeditor_4.4.4+dfsg1-1.dsc
>>
>> Stable is problematic. I could not made a patch:
>> - ckeditor under stable is only min.js (not sourced: S)
>> - I may with a lot of work create a sourcefull version from svn but it
>> will be massive surgery.
>> - I may delete the problematic plugin but package will be still
>> sourceless and it will loose some functionnality.
>>
>> Bastien
Reply sent
to Bastien Roucariès <roucaries.bastien+debian@gmail.com>:
You have taken responsibility.
(Sat, 13 Sep 2014 21:09:47 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 13 Sep 2014 21:09:48 GMT) (full text, mbox, link).
Message #27 received at 760736-close@bugs.debian.org (full text, mbox, reply):
Source: ckeditor
Source-Version: 4.4.4+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
ckeditor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 760736@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <roucaries.bastien+debian@gmail.com> (supplier of updated ckeditor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Sep 2014 19:34:59 +0200
Source: ckeditor
Binary: ckeditor
Architecture: source all
Version: 4.4.4+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Frank Habermann <lordlamer@lordlamer.de>
Changed-By: Bastien Roucariès <roucaries.bastien+debian@gmail.com>
Description:
ckeditor - text editor for internet
Closes: 756155 760736
Changes:
ckeditor (4.4.4+dfsg1-1) unstable; urgency=high
.
* New upstream release.
* Bug fix: "CVE-2014-5191", thanks to Moritz Muehlenhoff
(Closes: #760736). Cross-site scripting (XSS) vulnerability
in the Preview plugin before 4.4.3 in CKEditor allows
remote attackers to inject arbitrary web script
or HTML via unspecified vectors.
* Use packaged libjs-highlight.
* Bug fix: "CKEDITOR is not defined", thanks to Louis-David
Mitterrand. (Closes: #756155).
* Remove uicolor plugin for security and dfsg (sourceless)
reasons.
Checksums-Sha1:
38c2a235498fc318102b65b37583aa7a4ddd1ba2 1954 ckeditor_4.4.4+dfsg1-1.dsc
43ffb9a4cf30732d5c399cecb98c2119d7ddf398 1953756 ckeditor_4.4.4+dfsg1.orig.tar.xz
ef03e04adb6f7abc80831c3b234c824f2f1bb3ae 14784 ckeditor_4.4.4+dfsg1-1.debian.tar.xz
2e85a95978bc737faaed3c1c8f5926ce2fb0f85f 1232258 ckeditor_4.4.4+dfsg1-1_all.deb
Checksums-Sha256:
c4571328360f9a28ab7df94233615d03b41fc464b857701bd4aef7b12b88f007 1954 ckeditor_4.4.4+dfsg1-1.dsc
f0d82fa352e10fd5a29a0aba250d112309c781fe8446e7afb06da324ad50e617 1953756 ckeditor_4.4.4+dfsg1.orig.tar.xz
4481d76dc401ea69fc171cce461fc7cbf254e31533d6f6da3515fe59cc90a60e 14784 ckeditor_4.4.4+dfsg1-1.debian.tar.xz
7df49d10971c099dedcd85a395a39a906d2f09b6bf1fd8418ddacd6cd7d3ddd2 1232258 ckeditor_4.4.4+dfsg1-1_all.deb
Files:
09ba2df6e44576f2f75c07de4ef6068f 1232258 web optional ckeditor_4.4.4+dfsg1-1_all.deb
6bbd98daa56f5d556c3cfbb497c39ac1 1954 web optional ckeditor_4.4.4+dfsg1-1.dsc
c430864faec53e56299e471977db7595 1953756 web optional ckeditor_4.4.4+dfsg1.orig.tar.xz
4978b3d358f4caa4e7619a9e2e98e050 14784 web optional ckeditor_4.4.4+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUFKjXAAoJEGYRwF7dOfN0ayEP/iLDj+5UIfSUiQ2G6SSrBeF4
A2KlPKEKaBake30iGoVkPB3cGAG5P0XpXg5PCh6Sm+6NWkSmwEBpoLfLRLLHz00I
NQ3cjGRZJZt1/d2AryztR0lLt1mNvBFoHGA9ullp2Ur3Yf2qZfB6PSH4LCz/x+8l
GNZrNAfpMHzgaIC/dPfyW86OdOzAyqDbJZTWtikFosbUUxXpJ3uxRK6VNSq2XQz6
AizF7b/oFaNu0kvLyGbA+CFB+EMi7X5YohdUw5oi3f28Hx/Ln4s+14d6OEyUFinP
rly3atIeuNTyAVl4RwKceQxvUdCr8Rdli0coIj5Gh5OrS237ekVEtOck/sKB70Jw
jUL939ih6uaau1iucJ0FDfIArt6s15JS+LkqSn0Clkp14t82IGw5r3vBm9IoN9nI
+4hI2jELAz11XVys9tHP+yo+3CK/eogBUML63GH4XUYwxed+L9JiqecDOq9Fjvfj
YuWrHBfU0awsV/Y3OJXOvsJzUXb1oOx16Xc/4OjsTRANuWgRRP1TDLqpcw9PZNhB
UqYe/GQhKhT0a/E+8oOBBnluu/nedo7j8wp51s0YRtHiLRfEtnTWafs9bjlJmQs9
iHLNB2zpkSdGWPeulZJjQNM6sKoJXn63H5TVWpbGw/YWGXgVN6wgAsFm2YyebW3R
zDkDn+mBV30t79OOxaIv
=4Vdv
-----END PGP SIGNATURE-----
Marked as found in versions ckeditor/4.3.5+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 14 Sep 2014 03:51:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Oct 2014 07:31:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:34:45 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon