21 Oct
2015
21 Oct
'15
6:54 p.m.
On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git.
Thomas, do you remember what vulnerability it was?
--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl