[RCD] Cryptographic signatures for release tags or tarballs

A.L.E.C alec at alec.pl
Wed Oct 21 20:54:17 CEST 2015


On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
> Completely unrelated, please note that the “1.1.3 — Dependent” tarball
> includes moxieplayer.swf, while the last mention of moxieplayer in your
> changelog says “TinyMCE security issue: removed moxieplayer (embedding
> flv and mp4 is not supported anymore)”.  Was it re-added by mistake?
> (Anyway that file is violates the DFSG and will be removed from the
> upcoming 1.1.3 Debian packages.)

The file was re-added with update to TinyMCE 4.x. I don't know if it's
still vulnerable, the file is in a newer version according to git.

Thomas, do you remember what vulnerability it was?

-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer        [http://kolab.org]
Roundcube Webmail Developer  [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl


More information about the dev mailing list