oss-sec mailing list archives
Fwd: GNU emacs 29.3 released to fix security issues
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sun, 24 Mar 2024 09:07:34 -0700
I don't see any CVE's assigned to track these issues yet.
-alan-
-------- Forwarded Message --------
Subject: GNU emacs 29.3 released to fix security issues
Date: Sun, 24 Mar 2024 09:05:20 -0700
To: oss-security () lists openwall com
https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html reports:
Version 29.3 of Emacs, the extensible text editor, should now be available from your nearest GNU mirror: https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.xz https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.gz
[...]
Emacs 29.3 is an emergency bugfix release; it includes no new features except a small number of changes intended to resolve security vulnerabilities uncovered in Emacs 29.2. See the file etc/NEWS in the tarball; you can view it from Emacs by typing 'C-h n', or by clicking Help->Emacs News from the menu bar. You can also browse NEWS on-line using this URL: https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 For the complete list of changes and the people who made them, see the various ChangeLog files in the source distribution. For a summary of all the people who have contributed to Emacs, see the etc/AUTHORS file. For more information about Emacs, see: https://www.gnu.org/software/emacs
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 lists these changes:
* Changes in Emacs 29.3 Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities described below. ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code. ** New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution. ** Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer. ** LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value. ** Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
The detailed changelogs are at: https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4?h=emacs-29
Current thread:
- GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Re: [External] : [oss-security] Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
- Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
- Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)