Security update for python-django-ckeditor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0008-1 Final 1 1 2025-01-07T17:02:06Z current 2025-01-07T17:02:06Z 2025-01-07T17:02:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-django-ckeditor This update for python-django-ckeditor fixes the following issues: - Update to 6.7.2 * Deprecated the package. * Added a new ckeditor/fixups.js script which disables the version check again (if something slips through by accident) and which disables the behavior where CKEditor 4 would automatically attach itself to unrelated HTML elements with a contenteditable attribute (see CKEDITOR.disableAutoInline in the CKEditor 4 docs). - CVE-2024-24815: Fixed bypass of Advanced Content Filtering mechanism (boo#1219720) - update to 6.7.1: * Add Python 3.12, Django 5.0 * Silence the CKEditor version check/nag but include a system check warning - update to 6.7.0: * Dark mode fixes. * Added support for Pillow 10. - update to 6.6.1: * Required a newer version of django-js-asset which actually works with Django 4.1. * CKEditor 4.21.0 * Fixed the CKEditor styles when used with the dark Django admin theme. - update to 6.5.1: * Avoided calling ``static()`` if ``CKEDITOR_BASEPATH`` is defined. * Fixed ``./manage.py generateckeditorthumbnails`` to work again after the image uploader backend rework. * CKEditor 4.19.1 * Stopped calling ``static()`` during application startup. * Added Django 4.1 * Changed the context for the widget to deviate less from Django. Removed a * few template variables which are not used in the bundled * ``ckeditor/widget.html`` template. This only affects you if you are using a * customized widget or widget template. * Dropped support for Python < 3.8, Django < 3.2. * Added a pre-commit configuration. * Added a GitHub action for running tests. * Made selenium tests require opt in using a ``SELENIUM=firefox`` or ``SELENIUM=chromium`` environment variable. * Made it possible to override the CKEditor template in the widget class. * Changed ``CKEDITOR_IMAGE_BACKEND`` to require dotted module paths (the old identifiers are still supported for now). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-8 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZXNT2JPQVYWDQRDN2YJ7KJCRBY5QEJQW/ E-Mail link for openSUSE-SU-2025:0008-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219720 SUSE Bug 1219720 https://www.suse.com/security/cve/CVE-2024-24815/ SUSE CVE CVE-2024-24815 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 python311-django-ckeditor-6.7.2-bp155.3.3.1 python311-django-ckeditor-6.7.2-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 python311-django-ckeditor-6.7.2-bp155.3.3.1 as a component of openSUSE Leap 15.5 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to `script` and `style` elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts. CVE-2024-24815 SUSE Package Hub 15 SP5:python311-django-ckeditor-6.7.2-bp155.3.3.1 openSUSE Leap 15.5:python311-django-ckeditor-6.7.2-bp155.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZXNT2JPQVYWDQRDN2YJ7KJCRBY5QEJQW/ https://www.suse.com/security/cve/CVE-2024-24815.html CVE-2024-24815 https://bugzilla.suse.com/1219720 SUSE Bug 1219720