'[oss-security] Fwd: GNU emacs 29.3 released to fix security issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Fwd: GNU emacs 29.3 released to fix security issues
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2024-03-24 16:07:34
Message-ID: 22b2c6ff-84ab-4fe8-8e1f-c192323a6bbc () oracle ! com
[Download RAW message or body]

I don't see any CVE's assigned to track these issues yet.

	-alan-


-------- Forwarded Message --------
Subject: GNU emacs 29.3 released to fix security issues
Date: Sun, 24 Mar 2024 09:05:20 -0700
To: oss-security@lists.openwall.com

https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html reports:

> Version 29.3 of Emacs, the extensible text editor, should now
> be available from your nearest GNU mirror:
> 
>    https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.xz
>    https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.gz

[...]

> Emacs 29.3 is an emergency bugfix release; it includes no new features
> except a small number of changes intended to resolve security
> vulnerabilities uncovered in Emacs 29.2.  See the file etc/NEWS in the
> tarball; you can view it from Emacs by typing 'C-h n', or by clicking
> Help->Emacs News from the menu bar.
> 
> You can also browse NEWS on-line using this URL:
> 
>   https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
> 
> For the complete list of changes and the people who made them, see the
> various ChangeLog files in the source distribution.  For a summary of
> all the people who have contributed to Emacs, see the etc/AUTHORS
> file.
> 
> For more information about Emacs, see:
>   https://www.gnu.org/software/emacs

https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
lists these changes:

> * Changes in Emacs 29.3
> Emacs 29.3 is an emergency bugfix release intended to fix several
> security vulnerabilities described below.
> 
> ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
> This is for security reasons, to avoid evaluating malicious Lisp code.
> 
> ** New buffer-local variable 'untrusted-content'.
> When this is non-nil, Lisp programs should treat buffer contents with
> extra caution.
> 
> ** Gnus now treats inline MIME contents as untrusted.
> To get back previous insecure behavior, 'untrusted-content' should be
> reset to nil in the buffer.
> 
> ** LaTeX preview is now by default disabled for email attachments.
> To get back previous insecure behavior, set the variable
> 'org--latex-preview-when-risky' to a non-nil value.
> 
> ** Org mode now considers contents of remote files to be untrusted.
> Remote files are recognized by calling 'file-remote-p'.

The detailed changelogs are at:
https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4?h=emacs-29

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic