[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs 30.1 released
|
From: |
Joseph Mingrone |
|
Subject: |
Re: Emacs 30.1 released |
|
Date: |
Mon, 24 Feb 2025 23:21:35 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/30.1 |
Hello,
On Sun, 2025-02-23 at 17:41, Stefan Kangas <stefankangas@gmail.com> wrote:
> Emacs 30.1 includes security fixes for a shell injection vulnerability
> in man.el (CVE-2025-1244), and for arbitrary code execution with
> flymake (CVE-2024-53920). We recommend upgrading immediately.
Thank you for your work on the 30.1 release.
I help maintain the FreeBSD Emacs ports/packages: editors/emacs and
editors/emacs-devel. The emacs-devel port/package tracks the Emacs
master branch and updates approximately every two weeks.
The FreeBSD community maintains a package vulnerability database called
VuXML that alerts users to security issues affecting specific package
versions. I'm trying to determine which versions of our
editors/emacs-devel port/package are affected by the CVEs mentioned in
the 30.1 release notes.
For CVE-2024-53920, I see commits from 2024-12-10 to 2024-12-18
(b5158bd1914, 8b6c6cffd1f, b9dc337ea74, and 8a0c9c234f1), which I
believe address the issue. Are there any additional fixes for this CVE
that I may have missed?
For CVE-2025-1244, was the issue addressed solely in commit 820f0793f0b4
on 2024-01-10? If so, our emacs-devel port/package has included the
workaround for over a year.
Thanks for any insight you can provide.
Joe
- Emacs 30.1 released, Stefan Kangas, 2025/02/23
- Re: Emacs 30.1 released, Bastien Guerry, 2025/02/23
- Re: Emacs 30.1 released, Stefan Kangas, 2025/02/23
- Pre-compiled Emacs 30.1 binaries for Windows are available, Corwin Brust, 2025/02/23
- Re: Emacs 30.1 released, Ben Zanin, 2025/02/23
- Re: Emacs 30.1 released, Stefan Monnier, 2025/02/23
- Android binaries of Emacs 30.1 are available, Po Lu, 2025/02/23
- Re: Emacs 30.1 released,
Joseph Mingrone <=