------------------------------------------------------------------------- Debian LTS Advisory DLA-3849-1 [email protected] https://www.debian.org/lts/security/ Sean Whitton June 29, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : emacs Version : emacs 1:26.1+1-3.2+deb10u6 CVE ID : CVE-2024-39331 Debian Bug : 1074136 A vulnerability was discovered in GNU Emacs, the extensible, customisable, self-documenting display editor. The org-link-expand-abbrev function expanded a %(...) link abbrev even when the abbrev specified an unsafe function, such as shell-command-to-string. This could lead to arbitrary code execution as soon as an Org-mode format file was opened, including one embedded in an e-mail message. For Debian 10 buster, these problems have been fixed in version 1:26.1+1-3.2+deb10u6. We recommend that you upgrade your org-mode packages. For the detailed security status of org-mode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/org-mode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature