Your message dated Sat, 26 Aug 2023 11:35:49 +0000 with message-id <e1qzra1-00eh6s...@fasolo.debian.org> and subject line Bug#1033341: fixed in org-mode 9.4.0+dfsg-1+deb11u1 has caused the Debian Bug report #1033341, regarding org-mode: CVE-2023-28617 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033341 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: org-mode Version: 9.5.2+dfsh-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: reassign -2 src:emacs 1:28.2+1-13 Control: retitle -2 emacs: CVE-2023-28617 Hi, The following vulnerability was published for org-mode (and emacs, will close tis bug). CVE-2023-28617[0]: | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for | GNU Emacs allows attackers to execute arbitrary commands via a file | name or directory name that contains shell metacharacters. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28617 https://www.cve.org/CVERecord?id=CVE-2023-28617 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: org-mode Source-Version: 9.4.0+dfsg-1+deb11u1 Done: Nicholas D Steeves <s...@debian.org> We believe that the bug you reported is fixed in the latest version of org-mode, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nicholas D Steeves <s...@debian.org> (supplier of updated org-mode package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 Aug 2023 09:28:47 -0400 Source: org-mode Architecture: source Version: 9.4.0+dfsg-1+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Emacsen team <debian-emacsen@lists.debian.org> Changed-By: Nicholas D Steeves <s...@debian.org> Closes: 1033341 Changes: org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium . * Team upload. * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs did (Closes: #1033341). Thanks to Rob Browning's work in that package, fixing org-mode was trivially easy! Checksums-Sha1: 0768acdaca67fe0d14e3e4d454fa1e7ad89351ad 2008 org-mode_9.4.0+dfsg-1+deb11u1.dsc a37ff9d8e9bc988cc22eb57c5b3cf895765628f0 10444 org-mode_9.4.0+dfsg-1+deb11u1.debian.tar.xz 82a5fa03a6ca44e6b255b4912a8d0152fa7736b2 8281 org-mode_9.4.0+dfsg-1+deb11u1_amd64.buildinfo Checksums-Sha256: ce87b618c85b9457ff722317a811bac1d70d15cfdab7c9e420d4993e630d8b6e 2008 org-mode_9.4.0+dfsg-1+deb11u1.dsc 058dc52d52b2da06cf8ebb962a5d4ded3023549eef8848ee576ea8ae535c44e4 10444 org-mode_9.4.0+dfsg-1+deb11u1.debian.tar.xz 1cf3a2be29a47c6c3438b03c0af1c3760712bb7f1b88ee0445bdabef59d4ed2a 8281 org-mode_9.4.0+dfsg-1+deb11u1_amd64.buildinfo Files: a239a20b3b441248f583f9d96c8b2d7e 2008 lisp optional org-mode_9.4.0+dfsg-1+deb11u1.dsc 1e63824b2f5d57fcd620692ab69fc68e 10444 lisp optional org-mode_9.4.0+dfsg-1+deb11u1.debian.tar.xz 9018387e931a57fd6c044b10ec9efd2c 8281 lisp optional org-mode_9.4.0+dfsg-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4qYmHjkArtfNxmcIWogwR199EGEFAmTLu2UACgkQWogwR199 EGHSgRAAriR+JtNfXV3AiBIYFyA5ZomzJM9ni6oFCToH4HwheuPxmOrs99O2pMQy y20oDZG1pyBOeJTTR2aeYKUe3D5S3D/57Jtykztaf1c5vLk8L+Vx+1HGYOTHNMdJ 0w2UjMlRwBx9M7n7wnHmG17qSGvyAQ1Z/iTdslXimXs5Pv6kVoc/HiY05BREUoHw pwW5sTW9Z6atEx8UR+fshqbIf6M6ZGtpAfgcmx7z2iVUlUIEjToQYSJiTNWjc6lb 8oaIP7riD7EIPXKaiFIibDZVB/lG4LU+Att4h5eexyudVJOH+JSAsG9TBuOLny77 MFE3o38FEwRSCQA3BUfJ8ux49OFazRK3jMIeyVbjdgMv5F0+aOc0GMrTLLK6/fTg Qw9EuMpzrj3LpJxll4upBuXQunG468gXQ+KhQoa8xynR8PuOqkg/sUCC0vO+RfCK K40zpQiGbv407JUuAz9yGgXl/iGdrnw67MdXyEXbpBgefWjjZshydRYwCclSAg55 IBqu6HxT8SmqUSXv7PhetSZMdiq25nNro3gxKSfQWwfIo91QNFaPyadHQzJSadiQ wI8uP6uRDJMomf7tUSVB/fktL/YpiklRKcUUMQ9S3675Lhcdh8iw2T+2fe0tqwoZ ff3/2jy0uOuW3Xv2IvprFaB/FPX2r6JnAFTf6iYOGw2aWlYdtXs= =h4zo -----END PGP SIGNATURE-----
--- End Message ---
