[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request to backport fix for CVE-2022-45939 to Emacs 28

From: lux
Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28
Date: Fri, 17 Feb 2023 10:35:43 +0800
User-agent: Evolution 3.46.3 (3.46.3-1.fc37)

On Thu, 2023-02-16 at 20:44 -0500, Lynn Winebarger wrote:
> On Tue, Feb 14, 2023 at 12:06 PM Troy Hinckley <comms@dabrev.com>
> wrote:
> > 
> > If the commit was cherry picked to the emacs-28 branch, does that
> > mean it’s just unreleased changes for Emacs 28? We are building
> > from source, so that might be enough. I didn’t realize cutting a
> > release was high effort.
> FWIW, I suspect a lot of users get automated updates from their
> packager of choice, whether it's linux distro, Cygwin, MSYS2, or
> whatever.  If you look at their source packages, they routinely apply
> these kinds of changes as updates to older releases.  Even if you
> don't use that packager, you can still use their source package for
> Emacs to get a version with the relevant security patches.

Most Linux distributions rely on public CVE information for security
updates, I fixed 4 vulnerabilities[1], but to date, only one
vulnerability has been assigned a CVE number (CVE-2022-45939), so most
Linux distributions have not fixed the other three vulnerabilities.

Depending on the distro security updates are only available for Linux,
BSD etc, while Windows users cannot update automatically.

[1] patches:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]