search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
9.07k stars 1.19k forks source link

SoGo - CKEditor version is not secure - temporary fix #5713

Closed wb7 closed 9 months ago

wb7 commented 9 months ago

When writing a new mail in SoGo, the red message "This CKEditor 4.22.1 version is not secure"

Screenshot 2024-02-07 180422

Temporary solution: CKEditor 4 seems to be EOL and the company behind may sell you an LTS version. SoGo needs to migrate to CKE 5. Until then, the following helps:

wget https://raw.githubusercontent.com/Alinto/sogo/5081de1639162be9d259a3c921fb05084f879ce4/UI/WebServerResources/js/Common/sgCkeditor.component.js -O /var/lib/docker/volumes/mailcowdockerized_sogo-web-vol-1/_data/WebServerResources/js/Common/sgCkeditor.component.js

Basically, this overwrites sgCkeditor.component.js with the commit of SoGo addressing this: https://github.com/Alinto/sogo/commit/5081de1639162be9d259a3c921fb05084f879ce4

I've diff-ed the current master and the js-File I've wget-ed, and only the versionCheck parameter is added.

Until SoGo updateded CKEditor, this will help to omit this annoying message at least a few days.

Unfortunately, I don't know where to add this inside the mailcow code, so I can't create a PR.

DerLinkman commented 9 months ago

Already got in contact with the maintainer of the SOGo image repo (not using official sources).

If i'ts backported it'll be updated within mailcow.

ajnadox commented 9 months ago

Same here, users calling in and dropping alot of emails about this. Any timeframe?

DerLinkman commented 9 months ago

Nope

andristeiner commented 9 months ago

I can't directly access Docker volumes from my hosts. If you can't neither, use the following workaround, which will add versionCheck: false, after the toolbarCanCollapse line:

docker compose exec sogo-mailcow sed --in-place '/toolbarCanCollapse/a \      versionCheck: false,' /sogo_web/WebServerResources/js/Common/sgCkeditor.component.js
chriscroome commented 9 months ago

Does anyone know what the specific security issues are with CKEditor version 4.22.1?

jamieburchell commented 9 months ago

Does anyone know what the specific security issues are with CKEditor version 4.22.1?

https://www.cvedetails.com/vulnerability-list/vendor_id-12058/Ckeditor.html

Usually XSS.

CarlosEVC63 commented 9 months ago

I can't directly access Docker volumes from my hosts. If you can't neither, use the following workaround, which will add versionCheck: false, after the toolbarCanCollapse line:

docker compose exec sogo-mailcow sed --in-place '/toolbarCanCollapse/a \      versionCheck: false,' /sogo_web/WebServerResources/js/Common/sgCkeditor.component.js

This works for me. Thank you! :-)

DerLinkman commented 9 months ago

I've repushed the sogo image as it now contains the fix. Simply run docker compose pull inside mailcow's root directory and the image should be pulled. To apply it simply run docker compose up -d

chriscroome commented 9 months ago

Is this a "fix" to remove the security warning or a fix to include a more recent version without security issues?

DerLinkman commented 9 months ago

This "fix" only contains the removal for this message the rest is upstream.