Re: [DSA 3970-1] emacs24 security update
- To: debian-security@lists.debian.org
- Subject: Re: [DSA 3970-1] emacs24 security update
- From: Bjørn Mork <bjorn@mork.no>
- Date: Wed, 13 Sep 2017 09:10:52 +0200
- Message-id: <[🔎] 87mv5zjcoz.fsf@miraculix.mork.no>
- In-reply-to: <20170912210825.2ciqc3bdnvwn7qph@pisco.westfalen.local> (Moritz Muehlenhoff's message of "Tue, 12 Sep 2017 23:08:25 +0200")
- References: <20170912210825.2ciqc3bdnvwn7qph@pisco.westfalen.local>
Moritz Muehlenhoff <jmm@debian.org> writes:
> Package : emacs24
> CVE ID : not yet available
>
> Charles A. Roelli discovered that Emacs is vulnerable to arbitrary code
> execution when rendering text/enriched MIME data (e.g. when using
> Emacs-based mail clients).
>
> For the oldstable distribution (jessie), this problem has been fixed
> in version 24.4+1-5+deb8u1.
>
> For the stable distribution (stretch), this problem has been fixed in
> version 24.5+1-11+deb9u1.
What about emacs25 in stretch? AFAICS, it is still vulnerable.
https://bugs.debian.org/875447 was closed with the upload of 25.2+1-6 to
unstable, but this bug was opened against 25.1+1-4 which still is the
current version in stretch. And needs fixing ASAP...
Bjørn
Reply to: