fixed 1033341 org/mode/9.5.2+dfsh-5 fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 thanks Dear Salvatore and Security Team, Salvatore Bonaccorso <carnil@debian.org> writes: > Source: org-mode > Version: 9.5.2+dfsh-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> > Control: clone -1 -2 > Control: reassign -2 src:emacs 1:28.2+1-13 > Control: retitle -2 emacs: CVE-2023-28617 > > Hi, > > The following vulnerability was published for org-mode (and emacs, > will close tis bug). > > CVE-2023-28617[0]: > | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for > | GNU Emacs allows attackers to execute arbitrary commands via a file > | name or directory name that contains shell metacharacters. All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is fixed there; however, unfortunately this bug was not closed from that changelog entry. This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just uploaded to experimental, but be honest I forgot about this bug when uploading, and so I forgot to close this bug from the changelog as instructed. Sorry. What is the correct way to proceed now? Regards, Nicholas
Attachment:
signature.asc
Description: PGP signature