There are 5 open security issues in bullseye.
4 important issues:
- CVE-2024-30202:
In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.
- CVE-2024-30203:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
- CVE-2024-30204:
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.
- CVE-2024-30205:
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
1 issue left for the package maintainer to handle:
- CVE-2023-28617:
(needs triaging)
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.
You can find information about how to handle this issue in the security team's documentation.