Fedora 28: 2018-107dbc8cf4 Security Update: CKEditor XSS Vulnerability Fix

CKEditor is a text editor to be used inside web pages. It's a WYSIWYG editor,

which means that the text being edited on it looks as similar as possible to

the results users have when publishing it. It brings to the web common editing

features found on desktop editing applications like Microsoft Word and

OpenOffice.

## 4.9.2 https://ckeditor.com/cke4/release/CKEditor-4.9.2 ### Security Updates

- Fixed XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw

Min Thein. - Issue summary: It was possible to execute XSS inside CKEditor

using the tag and specially crafted HTML. Please note that the default

presets (Basic/Standard/Full) do not include this plugin, so you are only at

risk if you made a custom build and enabled this plugin. ## 4.9.1

https://ckeditor.com/cke4/release/CKEditor-4.9.1 ### Fixed Issues - \#1835:

Fixed: Integration between CKFinder and File Browser plugin does not work. ##

4.9.0 https://ckeditor.com/cke4/release/CKEditor-4.9.0 ### New Features -\#932: Introduced Easy Image feature for inserting images that are automatically

rescaled, optimized, responsive and delivered through a blazing-fast CDN. Three

new plugins were added to support it: - Easy Image - Cloud Services

- Image Base - \#1338: Keystroke labels are displayed for function keys (like

F7, F8). - \#643: The File Browser plugin can now upload files using XHR

requests. This allows for setting custom HTTP headers using the

config.fileTools_requestHeaders configuration option. - \#1365: The File Browser

plugin uses XHR requests by default. - \#1399: Added the possibility to set

CKEDITOR.config.startupFocus as start or end to specify where the editor focus

should be after the initialization. - \#1441: The Magic Line plugin line element

can now be identified by the data-cke-magic-line="1" attribute. ### Fixed

Issues - \#595: Fixed: Pasting does not work on mobile devices. - \#869: Fixed:

Empty selection clears cached clipboard data in the editor. - \#1419: Fixed: The

Widget Selection plugin selects the editor content with the Alt+A key

combination on Windows. - \#1274: Fixed: Balloon Toolbar does not match a single

selected image using the contextDefinition.cssSelectormatcher. - \#1232: Fixed:

Balloon Toolbar buttons should be registered as focusable elements. - \#1342:

Fixed: Balloon Toolbar should be re-positioned after the change event. - \#1426:

[IE8-9] Fixed: Missing Balloon Toolbar background in the Kama skin. Thanks to

Christian Elmer! - \#1470: Fixed: Balloon Toolbar is not visible after drag and

drop of a widget it is attached to. - \#1048: Fixed: Balloon Panel is not

positioned properly when a margin is added to its non-static parent. - \#889:

Fixed: Unclear error message for width and height fields in the Image and

Enhanced Image plugins. - \#859: Fixed: Cannot edit a link after a double-click

on the text in the link. - \#1013: Fixed: Paste from Word does not work

correctly with the config.forcePasteAsPlainText option. - \#1356: Fixed: Border

parse function does not allow spaces in the color value. - \#1010: Fixed: The

CSS border shorthand property was incorrectly expanded ignoring the border-color

style. - \#1535: Fixed: Widget mouseover border contrast is insufficient. -\#1516: Fixed: Fake selection allows removing content in read-only mode using

the Backspace and Delete keys. - \#1570: Fixed: Fake selection allows cutting

content in read-only mode using the Ctrl/Cmd + X keys. - \#1363: Fixed: Paste

notification is unclear and it might confuse users. ### API Changes - \#1346:

Balloon Toolbar context manager API is now available in the

pluginDefinition.init method of the requiringplugin. - \#1530: Added the

possibility to use custom icons for buttons. ### Other Changes - Updated SCAYT

(Spell Check As You Type) and WebSpellChecker plugins: - SCAYT

scayt_minWordLength configuration option now defaults to 3 instead of 4. -SCAYT default number of suggested words in the context menu changed to 3. -\#90: Fixed: Selection is lost on link creation if SCAYT highlights the word.

- Fixed: SCAYT crashes when the browser localStorage is disabled. - [IE11]

Fixed: Unable to get property type of undefined or null reference error in the

browser console when SCAYT is disabled/enabled. - \#46: Fixed: Editing is

blocked when remote spell checker server is offline. - Fixed: User

Dictionary cannot be created in WSC due to You already have the dictionary

error. - Fixed: Words with apostrophe ' on the replacement make the WSC

dialog inaccessible. - Fixed: SCAYT/WSC causes the Uncaught TypeError error

in the browser console. - \#1337: Updated the samples layout with the new

CKEditor 4 logo and color scheme. - \#1591: CKBuilder and language tools are now

downloaded over HTTPS. Thanks to August Detlefsen!

* Sun Apr 29 2018 Shawn Iwinski - 4.9.2-1

- Update to 4.9.2 (RHBZ #1556589)

- Fix license files

[ 1 ] Bug #1556589 - ckeditor-4.9.2 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1556589

su -c 'dnf upgrade --advisory FEDORA-2018-107dbc8cf4' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org