[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Fwd: GNU emacs 29.3 released to fix security issues
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-03-24 16:07:34
Message-ID: 22b2c6ff-84ab-4fe8-8e1f-c192323a6bbc () oracle ! com
[Download RAW message or body]
I don't see any CVE's assigned to track these issues yet.
-alan-
-------- Forwarded Message --------
Subject: GNU emacs 29.3 released to fix security issues
Date: Sun, 24 Mar 2024 09:05:20 -0700
To: oss-security@lists.openwall.com
https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html reports:
> Version 29.3 of Emacs, the extensible text editor, should now
> be available from your nearest GNU mirror:
>
> https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.xz
> https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.gz
[...]
> Emacs 29.3 is an emergency bugfix release; it includes no new features
> except a small number of changes intended to resolve security
> vulnerabilities uncovered in Emacs 29.2. See the file etc/NEWS in the
> tarball; you can view it from Emacs by typing 'C-h n', or by clicking
> Help->Emacs News from the menu bar.
>
> You can also browse NEWS on-line using this URL:
>
> https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
>
> For the complete list of changes and the people who made them, see the
> various ChangeLog files in the source distribution. For a summary of
> all the people who have contributed to Emacs, see the etc/AUTHORS
> file.
>
> For more information about Emacs, see:
> https://www.gnu.org/software/emacs
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
lists these changes:
> * Changes in Emacs 29.3
> Emacs 29.3 is an emergency bugfix release intended to fix several
> security vulnerabilities described below.
>
> ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
> This is for security reasons, to avoid evaluating malicious Lisp code.
>
> ** New buffer-local variable 'untrusted-content'.
> When this is non-nil, Lisp programs should treat buffer contents with
> extra caution.
>
> ** Gnus now treats inline MIME contents as untrusted.
> To get back previous insecure behavior, 'untrusted-content' should be
> reset to nil in the buffer.
>
> ** LaTeX preview is now by default disabled for email attachments.
> To get back previous insecure behavior, set the variable
> 'org--latex-preview-when-risky' to a non-nil value.
>
> ** Org mode now considers contents of remote files to be untrusted.
> Remote files are recognized by calling 'file-remote-p'.
The detailed changelogs are at:
https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4?h=emacs-29
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic