On 10/18/2015 01:23 AM, Guilhem Moulin wrote:
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's still vulnerable, the file is in a newer version according to git.
Thomas, do you remember what vulnerability it was?