[SECURITY] [DLA 2813-1] ckeditor security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2813-1] ckeditor security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 9 Nov 2021 14:22:03 +0530
Message-id: <[🔎] CAPP0f96usduL+8sRRUvVNWuGSkBwPs35JoJHccDkJGWH45nz4A@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2813-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 09, 2021                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ckeditor
Version        : 4.5.7+dfsg-2+deb9u1
CVE ID         : CVE-2021-33829 CVE-2021-37695
Debian Bug     : 992290

CKEditor, an open source WYSIWYG HTML editor with rich content
support, which can be embedded into web pages, had two
vulnerabilites as follows:

CVE-2021-33829

    A cross-site scripting (XSS) vulnerability in the HTML Data
    Processor in CKEditor 4 allows remote attackers to inject
    executable JavaScript code through a crafted comment because
    --!> is mishandled.

CVE-2021-37695

    A potential vulnerability has been discovered in CKEditor 4
    Fake Objects package. The vulnerability allowed to inject
    malformed Fake Objects HTML, which could result in executing
    JavaScript code.

For Debian 9 stretch, these problems have been fixed in version
4.5.7+dfsg-2+deb9u1.

We recommend that you upgrade your ckeditor packages.

For the detailed security status of ckeditor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ckeditor

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmGKNpAACgkQgj6WdgbD
S5aXvw/8CsNLk3fBNXi0oGhCpJ5I9m/TSqPLytYpHRkqG/MlGV8s+B20XCjqWIZy
jBxNJ2poTnMfRWbPfNCxJidkNZWqQ3ILnrmGojB/3QOlYSkRBSO4BYqNIaIDHU7r
BKUYCLpWlm83N2wq1UT8MLHBDN3JB7m8RZx285fUEI7yIKg7TqbXtbDwwDraYwlN
qkBmVHId4YnBRi6hMrnSbMe+sSh+d6ymxiKGq31AEV0noBCD6sKcRsjm3lHPI7Jt
srOy7GEiRTLE41R1viXjv/DSiuWETB0BDfvvNSfqLkH7Eq1HlVBY8FDFTX74ydXU
LUjQAemirspqJNsZZRKrChNXG44VxlEoqr/h3vSGSFRf2Fmmw8O8rtn87GTy+xZb
Dz1jhGTXGZ07AR42ujItq8wAj859Wnt+lVsKTcuL6cgYekMPMYPjlq0SUUfwPynx
9GWOCXeljIj6H2n6TCn9bu6BEMETOWItrExXELYK95nHrA7GmkW8szX2VNWNCeIU
5wYlnn+BC+j8yeGzBU537r6YBQuA+SpbQPzc5PjDcubAWE+59xHD3EfrPsA7Z7GP
80hBvHzJ8SJeAZA4vKC36vF8LxzgBE2lY0qyB7qCNWfFF96NNKGOl52STudEP1Rt
sKtF1546F94sRLuHDxjU4PdZdt2JoShwbAukqAn2o8aNP6JS08k=
=bfla
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2812-1] botan1.10 security update
Next by Date: [SECURITY] [DLA 2814-1] openjdk-8 security update
Previous by thread: [SECURITY] [DLA 2812-1] botan1.10 security update
Next by thread: [SECURITY] [DLA 2814-1] openjdk-8 security update
Index(es):
- Date
- Thread