Fedora 27: ckeditor Security Update 2018-e29c7d10da
Summary
CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor,
which means that the text being edited on it looks as similar as possible to
the results users have when publishing it. It brings to the web common editing
features found on desktop editing applications like Microsoft Word and
OpenOffice.
## 4.9.2 https://ckeditor.com/cke4/release/CKEditor-4.9.2 ### Security Updates
- Fixed XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw
Min Thein. - Issue summary: It was possible to execute XSS inside CKEditor
using the tag and specially crafted HTML. Please note that the default
presets (Basic/Standard/Full) do not include this plugin, so you are only at
risk if you made a custom build and enabled this plugin. ## 4.9.1
https://ckeditor.com/cke4/release/CKEditor-4.9.1 ### Fixed Issues - \#1835:
Fixed: Integration between CKFinder and File Browser plugin does not work. ##
4.9.0 https://ckeditor.com/cke4/release/CKEditor-4.9.0 ### New Features -\#932: Introduced Easy Image feature for inserting images that are automatically
rescaled, optimized, responsive and delivered through a blazing-fast CDN. Three
new plugins were added to support it: - Easy Image - Cloud Services
- Image Base - \#1338: Keystroke labels are displayed for function keys (like
F7, F8). - \#643: The File Browser plugin can now upload files using XHR
requests. This allows for setting custom HTTP headers using the
config.fileTools_requestHeaders configuration option. - \#1365: The File Browser
plugin uses XHR requests by default. - \#1399: Added the possibility to set
CKEDITOR.config.startupFocus as start or end to specify where the editor focus
should be after the initialization. - \#1441: The Magic Line plugin line element
can now be identified by the data-cke-magic-line="1" attribute. ### Fixed
Issues - \#595: Fixed: Pasting does not work on mobile devices. - \#869: Fixed:
Empty selection clears cached clipboard data in the editor. - \#1419: Fixed: The
Widget Selection plugin selects the editor content with the Alt+A key
combination on Windows. - \#1274: Fixed: Balloon Toolbar does not match a single
selected image using the contextDefinition.cssSelectormatcher. - \#1232: Fixed:
Balloon Toolbar buttons should be registered as focusable elements. - \#1342:
Fixed: Balloon Toolbar should be re-positioned after the change event. - \#1426:
[IE8-9] Fixed: Missing Balloon Toolbar background in the Kama skin. Thanks to
Christian Elmer! - \#1470: Fixed: Balloon Toolbar is not visible after drag and
drop of a widget it is attached to. - \#1048: Fixed: Balloon Panel is not
positioned properly when a margin is added to its non-static parent. - \#889:
Fixed: Unclear error message for width and height fields in the Image and
Enhanced Image plugins. - \#859: Fixed: Cannot edit a link after a double-click
on the text in the link. - \#1013: Fixed: Paste from Word does not work
correctly with the config.forcePasteAsPlainText option. - \#1356: Fixed: Border
parse function does not allow spaces in the color value. - \#1010: Fixed: The
CSS border shorthand property was incorrectly expanded ignoring the border-color
style. - \#1535: Fixed: Widget mouseover border contrast is insufficient. -\#1516: Fixed: Fake selection allows removing content in read-only mode using
the Backspace and Delete keys. - \#1570: Fixed: Fake selection allows cutting
content in read-only mode using the Ctrl/Cmd + X keys. - \#1363: Fixed: Paste
notification is unclear and it might confuse users. ### API Changes - \#1346:
Balloon Toolbar context manager API is now available in the
pluginDefinition.init method of the requiringplugin. - \#1530: Added the
possibility to use custom icons for buttons. ### Other Changes - Updated SCAYT
(Spell Check As You Type) and WebSpellChecker plugins: - SCAYT
scayt_minWordLength configuration option now defaults to 3 instead of 4. -SCAYT default number of suggested words in the context menu changed to 3. -\#90: Fixed: Selection is lost on link creation if SCAYT highlights the word.
- Fixed: SCAYT crashes when the browser localStorage is disabled. - [IE11]
Fixed: Unable to get property type of undefined or null reference error in the
browser console when SCAYT is disabled/enabled. - \#46: Fixed: Editing is
blocked when remote spell checker server is offline. - Fixed: User
Dictionary cannot be created in WSC due to You already have the dictionary
error. - Fixed: Words with apostrophe ' on the replacement make the WSC
dialog inaccessible. - Fixed: SCAYT/WSC causes the Uncaught TypeError error
in the browser console. - \#1337: Updated the samples layout with the new
CKEditor 4 logo and color scheme. - \#1591: CKBuilder and language tools are now
downloaded over HTTPS. Thanks to August Detlefsen!
* Sun Apr 29 2018 Shawn Iwinski
- Update to 4.9.2 (RHBZ #1556589)
- Fix license files
* Wed Feb 7 2018 Fedora Release Engineering
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Dec 14 2017 Shawn Iwinski
- Update to 4.8.0 (RHBZ #1525735)
* Sun Oct 8 2017 Shawn Iwinski
- Update to 4.7.3 (RHBZ #1491261)
[ 1 ] Bug #1556589 - ckeditor-4.9.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1556589
su -c 'dnf upgrade --advisory FEDORA-2018-e29c7d10da' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
FEDORA-2018-e29c7d10da 2018-05-10 19:17:16.408171 Product : Fedora 27 Version : 4.9.2 Release : 1.fc27 URL : https://ckeditor.com/ Summary : WYSIWYG text editor to be used inside web pages Description : CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor, which means that the text being edited on it looks as similar as possible to the results users have when publishing it. It brings to the web common editing features found on desktop editing applications like Microsoft Word and OpenOffice. ## 4.9.2 https://ckeditor.com/cke4/release/CKEditor-4.9.2 ### Security Updates - Fixed XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein. - Issue summary: It was possible to execute XSS inside CKEditor using the tag and specially crafted HTML. Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin. ## 4.9.1 https://ckeditor.com/cke4/release/CKEditor-4.9.1 ### Fixed Issues - \#1835: Fixed: Integration between CKFinder and File Browser plugin does not work. ## 4.9.0 https://ckeditor.com/cke4/release/CKEditor-4.9.0 ### New Features -\#932: Introduced Easy Image feature for inserting images that are automatically rescaled, optimized, responsive and delivered through a blazing-fast CDN. Three new plugins were added to support it: - Easy Image - Cloud Services - Image Base - \#1338: Keystroke labels are displayed for function keys (like F7, F8). - \#643: The File Browser plugin can now upload files using XHR requests. This allows for setting custom HTTP headers using the config.fileTools_requestHeaders configuration option. - \#1365: The File Browser plugin uses XHR requests by default. - \#1399: Added the possibility to set CKEDITOR.config.startupFocus as start or end to specify where the editor focus should be after the initialization. - \#1441: The Magic Line plugin line element can now be identified by the data-cke-magic-line="1" attribute. ### Fixed Issues - \#595: Fixed: Pasting does not work on mobile devices. - \#869: Fixed: Empty selection clears cached clipboard data in the editor. - \#1419: Fixed: The Widget Selection plugin selects the editor content with the Alt+A key combination on Windows. - \#1274: Fixed: Balloon Toolbar does not match a single selected image using the contextDefinition.cssSelectormatcher. - \#1232: Fixed: Balloon Toolbar buttons should be registered as focusable elements. - \#1342: Fixed: Balloon Toolbar should be re-positioned after the change event. - \#1426: [IE8-9] Fixed: Missing Balloon Toolbar background in the Kama skin. Thanks to Christian Elmer! - \#1470: Fixed: Balloon Toolbar is not visible after drag and drop of a widget it is attached to. - \#1048: Fixed: Balloon Panel is not positioned properly when a margin is added to its non-static parent. - \#889: Fixed: Unclear error message for width and height fields in the Image and Enhanced Image plugins. - \#859: Fixed: Cannot edit a link after a double-click on the text in the link. - \#1013: Fixed: Paste from Word does not work correctly with the config.forcePasteAsPlainText option. - \#1356: Fixed: Border parse function does not allow spaces in the color value. - \#1010: Fixed: The CSS border shorthand property was incorrectly expanded ignoring the border-color style. - \#1535: Fixed: Widget mouseover border contrast is insufficient. -\#1516: Fixed: Fake selection allows removing content in read-only mode using the Backspace and Delete keys. - \#1570: Fixed: Fake selection allows cutting content in read-only mode using the Ctrl/Cmd + X keys. - \#1363: Fixed: Paste notification is unclear and it might confuse users. ### API Changes - \#1346: Balloon Toolbar context manager API is now available in the pluginDefinition.init method of the requiringplugin. - \#1530: Added the possibility to use custom icons for buttons. ### Other Changes - Updated SCAYT (Spell Check As You Type) and WebSpellChecker plugins: - SCAYT scayt_minWordLength configuration option now defaults to 3 instead of 4. -SCAYT default number of suggested words in the context menu changed to 3. -\#90: Fixed: Selection is lost on link creation if SCAYT highlights the word. - Fixed: SCAYT crashes when the browser localStorage is disabled. - [IE11] Fixed: Unable to get property type of undefined or null reference error in the browser console when SCAYT is disabled/enabled. - \#46: Fixed: Editing is blocked when remote spell checker server is offline. - Fixed: User Dictionary cannot be created in WSC due to You already have the dictionary error. - Fixed: Words with apostrophe ' on the replacement make the WSC dialog inaccessible. - Fixed: SCAYT/WSC causes the Uncaught TypeError error in the browser console. - \#1337: Updated the samples layout with the new CKEditor 4 logo and color scheme. - \#1591: CKBuilder and language tools are now downloaded over HTTPS. Thanks to August Detlefsen! * Sun Apr 29 2018 Shawn Iwinski - 4.9.2-1 - Update to 4.9.2 (RHBZ #1556589) - Fix license files * Wed Feb 7 2018 Fedora Release Engineering - 4.8.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Thu Dec 14 2017 Shawn Iwinski - 4.8.0-1 - Update to 4.8.0 (RHBZ #1525735) * Sun Oct 8 2017 Shawn Iwinski - 4.7.3-1 - Update to 4.7.3 (RHBZ #1491261) [ 1 ] Bug #1556589 - ckeditor-4.9.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1556589 su -c 'dnf upgrade --advisory FEDORA-2018-e29c7d10da' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Change Log
References
Update Instructions
