--QsoUeWZdcJpshtEs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: release.debian.org
Severity: normal
Tags: bullseye
User:
release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc:
org-mode@packages.debian.org
Control: affects -1 + src:org-mode
Control: block -1 by 1069943
This is security update for CVEs marked no-dsa by the secteam.
It backports a series of upstream commits for CVE-2024-30203, CVE-2024-30204 and CVE-2024-30205.
I had to backport a feature that the fixes use to pop up a dialog asking the user about the potentially unsafe remote resources.
This involves only localised code changes, and is already two years old, so
has received an adequate amount of testing upstream.
The fix depends on some corresponding changes to Emacs, in #1069943.
I manually tested the fixes using reproducers provided in the BTS and from upstream. The fixes are already in unstable. I have uploaded to oldstable-pu.
--
Sean Whitton
--QsoUeWZdcJpshtEs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
filename="org-mode_9.4.0+dfsg-1+deb11u2.debdiff" Content-Transfer-Encoding: quoted-printable
diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog 2023-08-03 14:28:47.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/changelog 2024-04-30 09:08:33.000000000 +0100
@@ -1,3 +1,11 @@
+org-mode (9.4.0+dfsg-1+deb11u2) bullseye; urgency=high
+
+ * Team upload.
+ * Fix CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 (Closes: #1067663).
+ - Require Emacs 1:27.1+1-3.1+deb11u3 to ensure we get the whole fix.
+
+ -- Sean Whitton <
spwhitton@spwhitton.name> Tue, 30 Apr 2024 09:08:33 +0100
+
org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium
* Team upload.
diff -Nru org-mode-9.4.0+dfsg/debian/control org-mode-9.4.0+dfsg/debian/control --- org-mode-9.4.0+dfsg/debian/control 2023-08-03 14:28:47.000000000