[通告] 紧急漏洞修复发布:Org mode 9.7.5

Dear all,

I just released Org mode 9.7.5 that fixes a critical vulnerability. The release is coordinated with emergency Emacs 29.4 release.

Please upgrade your Org mode.

The vulnerability involves arbitrary Shell code evaluation when previewing attachments in Emacs MUA (gnus-based: at least, mu4e, Notmuch, Gnus itself) or when opening third-party Org files. All the earlier versions of Org mode are affected.

Note that the vulnerability solved in this release has nothing to do with recent Org 9.6.23 release ([ANN] Emergency bugfix release: Org mode 9.6.23 - Ihor Radchenko). It existed since long time ago and was discovered by accident.


亲爱的各位,

我刚发布了修复一个关键漏洞的 Org mode 9.7.5 版本。 该发布与紧急 Emacs 29.4 版本同步发布。

请升级您的 Org mode。

该漏洞涉及当在 Emacs MUA(at least, mu4e, Notmuch, Gnus itself)中预览附件时或打开第三方 Org 文件时,执行任意 Shell 代码。所有早期版本的 Org mode 都受到影响。

请注意,此版本中解决的漏洞与最近的 Org 9.6.23 版本( [ANN] Emergency bugfix release: Org mode 9.6.23 - Ihor Radchenko ) 无关。它存在已久并且是偶然发现的。


https://list.orgmode.org/87sex5gdqc.fsf@localhost/#r

9 个赞

老版本的怎么办?不管了吗?

If you cannot upgrade, can cherry-pick https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 commit.

Only the latest Org mode release is maintained. There is no back-porting of fixes onto older releases.


如果您无法升级,请使用 cherry-pick 来选择 https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 提交。

只有最新的 Org mode 发布版得到维护。不会将修复程序应用到旧版本中。

The commit is c645e1d8205f0f0663ec4a2d27575b238c646c7c in emacs tree. Cherry-pick ok for emacs-27.

Thanks.