David Bremner <david@tethera.net> writes: > Nicholas D Steeves <sten@debian.org> writes: > >> fixed 1033341 org/mode/9.5.2+dfsh-5 >> fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 >> thanks > > Are you sure about that? It depends on emacs 28.2, which afaik has the > vulnerable org-mode embedded. I guess it's a question of interpretation, > but the vulnerability is still there after installing the package. Wasn't the fix in emacs 1:28.2+1-14 two months ago? Meanwhile the new empty org-mode 9.5.2+dfsh-5 won't be able to shadow the (fixed) bundled copy. Thanks again for that work! This was also in bullseye in emacs 26.1+1-3.2+deb10u4 After uploading to bullseye-updates I'll upload 9.6.6 to unstable. I'd rather let someone else take care of buster, if we're still supporting it. Regards, Nicholas
Attachment:
signature.asc
Description: PGP signature