[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1033341: org-mode: CVE-2023-28617

Hi David,

On Sun, Jun 04, 2023 at 08:34:18AM -0300, David Bremner wrote:
> Nicholas D Steeves <sten@debian.org> writes:
> 
> > fixed 1033341 org/mode/9.5.2+dfsh-5
> > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1
> > thanks
> 
> Are you sure about that? It depends on emacs 28.2, which afaik has the
> vulnerable org-mode embedded. I guess it's a question of interpretation,
> but the vulnerability is still there after installing the package.

For src:emacs the respective bug is in #1033342.

But this is why I as well mentioned that for org-mode this tecnically
would need a per suite "unimportant" tracking in the security-tracker
(as the source still affected up to < 9.6.6+dfsg-1~exp1, but not the
resulting binary packages).

Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617
I think we should be fine for bookworm already, correct?

(For bullseye the issue is no-dsa and could be fixed with respective
updates in a point release).

Regards,
Salvatore
Reply to: