Re: [DSA 3970-1] emacs24 security update

To: debian-security@lists.debian.org
Subject: Re: [DSA 3970-1] emacs24 security update
From: Bjørn Mork <bjorn@mork.no>
Date: Wed, 13 Sep 2017 09:10:52 +0200
Message-id: <[🔎] 87mv5zjcoz.fsf@miraculix.mork.no>
In-reply-to: <20170912210825.2ciqc3bdnvwn7qph@pisco.westfalen.local> (Moritz Muehlenhoff's message of "Tue, 12 Sep 2017 23:08:25 +0200")
References: <20170912210825.2ciqc3bdnvwn7qph@pisco.westfalen.local>

Moritz Muehlenhoff <jmm@debian.org> writes:

> Package        : emacs24
> CVE ID         : not yet available
>
> Charles A. Roelli discovered that Emacs is vulnerable to arbitrary code
> execution when rendering text/enriched MIME data (e.g. when using
> Emacs-based mail clients).
>
> For the oldstable distribution (jessie), this problem has been fixed
> in version 24.4+1-5+deb8u1.
>
> For the stable distribution (stretch), this problem has been fixed in
> version 24.5+1-11+deb9u1.

What about emacs25 in stretch?  AFAICS, it is still vulnerable.

https://bugs.debian.org/875447 was closed with the upload of 25.2+1-6 to
unstable, but this bug was opened against 25.1+1-4 which still is the
current version in stretch.  And needs fixing ASAP...

Bjørn

Reply to:

Follow-Ups:
- Re: [DSA 3970-1] emacs24 security update
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Different MD5 from same kernel module tun.ko on different servers same distro
Next by Date: Re: [DSA 3970-1] emacs24 security update
Previous by thread: Re: Different MD5 from same kernel module tun.ko on different servers same distro
Next by thread: Re: [DSA 3970-1] emacs24 security update
Index(es):
- Date
- Thread