procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* etc/NEWS.25: Copy from emacs-25 etc/NEWS.

Browse source
This commit is contained in:
Paul Eggert 2017-09-12 12:55:29 -07:00
parent cb80fd0d50
commit d07fd34722
1 changed files with 17 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
etc/NEWS.25
View file

@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n.
* Changes in Emacs 25.3
This is mainly a release to fix security-relevant bugs.
This is an emergency release to fix a security vulnerability in Emacs.
** Enriched text mode no longer supports the 'FUNCTION' and 'display'
translations, and Gnus no longer processes enriched text when
inlining. This fixes bugs introduced in Emacs 19.29. To work around
these bugs in Emacs versions 19.29 through 25.2, append the following
to your ~/.emacs file:
** Security vulnerability related to Enriched Text mode is removed.
(provide 'enriched)
(defun enriched-mode (&optional arg))
(defun enriched-decode (from to))
*** Enriched Text mode has its support for decoding 'x-display' disabled.
This feature allows saving 'display' properties as part of text.
Emacs 'display' properties support evaluation of arbitrary Lisp forms
as part of instantiating the property, so decoding 'x-display' is
vulnerable to executing arbitrary malicious Lisp code included in the
text (e.g., sent as part of an email message).
Thanks to Charles A. Roelli for reporting this bug; see:
https://bugs.gnu.org/28350
This vulnerability was introduced in Emacs 21.1. To work around that
in Emacs versions before 25.3, append the following to your ~/.emacs
init file:
** TLS/SSL connections no longer fall back on the openssl s_client
command to set up SSL connections in some hopefully-unlikely cases.
This fixes a bug introduced in Emacs 22.1. To work around this bug in
Emacs versions 22.1 through 25.2, append the following to your
~/.emacs file:
(eval-after-load "enriched"
'(defun enriched-decode-display-prop (start end &optional param)
(list start end)))
(setq tls-program '("gnutls-cli --x509cafile %t -p %p %h"))
You may need to omit the "--x509cafile %t" on older installations.
Thanks to Kurt Roeckx for reporting this bug to Debian; see:
https://bugs.debian.org/766397
*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
This support was disabled to avoid evaluation of arbitrary Lisp code
contained in email messages and news articles.
* Changes in Emacs 25.2