1.147.0
cf-buildpacks-eng
released this
20 Sep 15:45
·
27 commits
to main
since this release
Notably, this release addresses:
USN-7027-1 Emacs vulnerabilities:
- CVE-2024-39331:
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...)
link abbrev even when it specifies an unsafe function, such as
shell-command-to-string. This affects Org Mode before 9.7.5. - CVE-2024-30205:
In Emacs before 29.3, Org mode considers contents of remote files to be
trusted. This affects Org Mode before 9.6.23. - CVE-2024-30203:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted. - CVE-2023-28617:
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU
Emacs allows attackers to execute arbitrary commands via a file name or
directory name that contains shell metacharacters. - CVE-2022-48339:
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a
command injection vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external input, and
parameters are not escaped. If a file name or directory name contains shell
metacharacters, code may be executed. - CVE-2024-30204:
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
attachments. - CVE-2022-48338:
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the
ruby-find-library-file function has a local command injection
vulnerability. The ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the external command
gem is called through shell-command-to-string, but the feature-name
parameters are not escaped. Thus, malicious Ruby source files may cause
commands to be executed. - CVE-2022-48337:
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the etags
program. For example, a victim may use the "etags -u *" command (suggested
in the etags documentation) in a situation where the current working
directory has contents that depend on untrusted input. - CVE-2022-45939:
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *" command (suggested in
the ctags documentation) in a situation where the current working directory
has contents that depend on untrusted input.
-ii libpcap0.8:amd64 1.10.1-4build1 amd64 system interface for user-level packet capture
+ii libpcap0.8:amd64 1.10.1-4ubuntu1.22.04.1 amd64 system interface for user-level packet capture```