pythonPackages.django-ckeditor: Add known vulnerability description following... (1f9c648a) · Commits · nix / nixpkgs

pkgs/development/python-modules/django-ckeditor/default.nix

+32 −1

Original line number	Diff line number	Diff line
		@@ -55,5 +55,36 @@ buildPythonPackage rec {
		changelog = "https://github.com/django-ckeditor/django-ckeditor/blob/${version}/CHANGELOG.rst";
		license = licenses.bsd3;
		maintainers = with maintainers; [ onny ];
		knownVulnerabilities = [
		''
		django-ckeditor bundles CKEditor 4.22.1 which isn’t supported anmyore and
		which does have unfixed security issues

		Existing users of django-ckeditor should consider switching to a
		different editor such as CKEditor 5 (django-ckeditor-5), after verifying
		that its GPL licensing terms are acceptable, or ProseMirror
		(django-prose-mirror by the author of django-ckeditor). Support of the
		CKEditor 4 package is provided by its upstream developers as a
		non-free/commercial LTS package until December 2028.

		Note that while there are publically known vulnerabilities for the
		CKEditor 4 series, the exploitability of these issues depends on how
		CKEditor is used by the given Django application.

		Further information:

		* List of vulnerabilites fixed in CKEditor 4.24.0-lts:

		* GHSA-fq6h-4g8v-qqvm
		* GHSA-fq6h-4g8v-qqvm
		* GHSA-mw2c-vx6j-mg76

		* The django-ckeditor deprecation notice:
		<https://406.ch/writing/django-ckeditor/>

		* The non-free/commerical CKEditor 4 LTS package:
		<https://ckeditor.com/ckeditor-4-support/>
		''
		];
		};
		}