[RCD] Cryptographic signatures for release tags or tarballs

Thomas Bruederli thomas at roundcube.net
Sat Jan 2 14:34:09 CET 2016


On Wed, Oct 21, 2015 at 8:54 PM, A.L.E.C <alec at alec.pl> wrote:
> On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
>> Completely unrelated, please note that the “1.1.3 — Dependent” tarball
>> includes moxieplayer.swf, while the last mention of moxieplayer in your
>> changelog says “TinyMCE security issue: removed moxieplayer (embedding
>> flv and mp4 is not supported anymore)”.  Was it re-added by mistake?
>> (Anyway that file is violates the DFSG and will be removed from the
>> upcoming 1.1.3 Debian packages.)
>
> The file was re-added with update to TinyMCE 4.x. I don't know if it's
> still vulnerable, the file is in a newer version according to git.
>
> Thomas, do you remember what vulnerability it was?

Finally I found it. I just forwarded the original report to you. And
here's a related commit which removed that file back in 2011:
https://github.com/roundcube/roundcubemail/commit/d6284b4d22d1e

According to this page http://cxsecurity.com/issue/WLB-2013070017
the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.

Cheer,
Thomas


More information about the dev mailing list