Among the 2 debian patches
available in version 9.8.6+dfsg-1 of the package,
we noticed the following issues:
1 patch
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
CVE-2024-30202:
In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.
CVE-2024-30203:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
CVE-2024-30204:
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.
CVE-2024-30205:
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
CVE-2024-39331:
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.