[Pkg-javascript-devel] ckeditor4 security update

Sylvain Beucler beuc at beuc.net
Fri Jun 17 16:27:32 BST 2022


Hello,

I'm working on Debian LTS (stretch), and I saw there are a number of 
CVEs against ckeditor (v4), as seen in #982587 #999909 and #992290-2, 
and I'm willing to provide some help on this package.
https://security-tracker.debian.org/tracker/source-package/ckeditor

AFAIU ckeditor upstream does not provide much information on fixes, 
making it hard if not impossible to backport targeted fixes.
However they maintain branch 4.x cleanly.
Thus it may make sense to upgrade to 4.18 (or later) in all Debian 
dists, including stable/oldstable (possibly in the next point release).

Does that sound doable and safe enough, or do you think there's too much 
of a risk of breakage?

Cheers!
Sylvain Beucler
Debian LTS Team



More information about the Pkg-javascript-devel mailing list