stable

ckeditor-4.16.2-1.fc33

FEDORA-2021-87578dca12 created by siwinski 3 years ago for Fedora 33

CKEditor 4.16.2

Security Updates:

  • Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.

    Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See security advisory for more details.

  • Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.

    Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See security advisory for more details.

  • Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.

    Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See security advisory for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

  • #4777: Fixed: HTML comments in widgets not processed correctly.
  • #4733: Fixed: Link prevent duplicate anchors in text with styles.
    • #4728: Fixed: Multiple anchors in one line and multi-line with text style.
    • #3863: Fixed: Multiple anchors in single word with text style.
  • #3819: [Chrome] Fixed: After removing one of the two consecutive spaces, the   character appears in the editor instead of a space.
  • #4666: [IE] Introduce CSS.escape polyfill. Thanks to limingli0707!
    • #681: Fixed: Table elements (td, tr, th, ..) with an id that starts with dot (.) causes javascript runtime err.
    • #641: Fixed: UploadImage Plugin Widgets not working in IE, Opera, Safari, PhantomJS.
  • #3638: Fixed: Opening the same dialog twice causes it to become hidden under the dialog's page cover.
  • #4247: Fixed: Color Button's incorrect rendering on the first opening.
  • #4555: Fixed: Font styles with attributes are not applied correctly when used multiple times over the same selection.
  • #4782: [Firefox] Fixed: TypeError is thrown when switching to Source View and back while Autocomplete plugin is enabled.

CKEditor 4.16.1

Fixed Issues:

  • #4617: Fixed: Autocomplete is not accessible in inline editors.
  • #4493: Fixed: The drop-down label does not reflect the current value of the drop-down.
  • #1572: Fixed: A paragraph before or after a widget cannot be removed. Thanks to bunglegrind!
  • #4301: Fixed: Pasted content is overwritten when pasted in an initially empty editor with the div Enter mode.
  • #4351: Fixed: Incorrect values for RGBA/HSLA colors in Color Dialog.
  • #4509: Fixed: Incorrect handling of drag & drop inside widgets and nested editables.
  • #4611: [Android, iOS] Fixed: Incorrect hover styles for buttons in the toolbar on mobile devices.
  • #4652: Fixed: Event data set to false is treated as an event cancelation.
  • #4659: Fixed: CKEDITOR.htmlParser does not treat --!> as a comment end tag correctly.

CKEditor 4.16

Security Updates:

  • Fixed ReDoS vulnerability in the Autolink plugin.

    Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted URL-like text into the editor and press <kbd>Enter</kbd> or <kbd>Space</kbd>.

  • Fixed ReDoS vulnerability in the Advanced Tab for Dialogs plugin.

    Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted text into the Styles dialog.

An upgrade is highly recommended!

New Features:

  • #2800: Unsupported image formats are now gracefully handled by the Paste from Word plugin on paste, additionally showing descriptive error messages.
  • #2800: Unsupported image formats are now gracefully handled by the Paste from LibreOffice plugin on paste, additionally showing descriptive error messages.
  • #3582: Introduced smart positioning of the Autocomplete panel used by the Mentions and Emoji plugins. The panel will now be additionally positioned related to the browser viewport to be always fully visible.
  • #4388: Added the option to remove an iframe created with the IFrame Dialog plugin from the sequential keyboard navigation using the tabindex attribute. Thanks to Timo Kirkkala!

Fixed Issues:

API Changes:

Other Changes:

CKEditor 4.15.1

Security Updates:

  • Fixed XSS vulnerability in the Color History feature reported by Mark Wade.

    Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.

An upgrade is highly recommended!

Fixed Issues:

API Changes:

Other Changes:

CKEditor 4.15

New features:

Fixed Issues:

CKEditor 4.14.1

Fixed Issues:

Other Changes:

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2021-87578dca12

This update has been submitted for testing by siwinski.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

siwinski edited this update.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago

This update has been pushed to testing.

3 years ago

This update has been submitted for stable by bodhi.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1847904 ckeditor-4.16.2 is available
0
0
BZ#1974730 CVE-2021-33829 ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code [fedora-all]
0
0
BZ#1974731 CVE-2021-33829 ckeditor: cross-site scripting allows remote attackers to inject executable JavaScript code [epel-7]
0
0
BZ#1993483 CVE-2021-32808 ckeditor: widget feature vulnerability allowing to execute JavaScript code using undo functionality [fedora-all]
0
0
BZ#1993484 CVE-2021-32808 ckeditor: widget feature vulnerability allowing to execute JavaScript code using undo functionality [epel-7]
0
0
BZ#1993486 CVE-2021-32809 ckeditor: clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality [fedora-all]
0
0
BZ#1993487 CVE-2021-32809 ckeditor: clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality [epel-7]
0
0
BZ#1993489 CVE-2021-37695 ckeditor: fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML [fedora-all]
0
0
BZ#1993490 CVE-2021-37695 ckeditor: fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML [epel-7]
0
0

Automated Test Results