Hi David, On Sun, Jun 04, 2023 at 08:34:18AM -0300, David Bremner wrote: > Nicholas D Steeves <s...@debian.org> writes: > > > fixed 1033341 org/mode/9.5.2+dfsh-5 > > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 > > thanks > > Are you sure about that? It depends on emacs 28.2, which afaik has the > vulnerable org-mode embedded. I guess it's a question of interpretation, > but the vulnerability is still there after installing the package.
For src:emacs the respective bug is in #1033342. But this is why I as well mentioned that for org-mode this tecnically would need a per suite "unimportant" tracking in the security-tracker (as the source still affected up to < 9.6.6+dfsg-1~exp1, but not the resulting binary packages). Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617 I think we should be fine for bookworm already, correct? (For bullseye the issue is no-dsa and could be fixed with respective updates in a point release). Regards, Salvatore
