-------------------------------------------------------------------------
Debian LTS Advisory DLA-3848-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Sean Whitton
June 29, 2024                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : org-mode
Version        : org-mode 9.1.14+dfsg-3+deb10u3
CVE ID         : CVE-2024-39331
Debian Bug     : 1074136

A vulnerability was discovered in Org-mode, a GNU Emacs major mode for
keeping notes, authoring documents, and maintaining to-do lists.

The org-link-expand-abbrev function expanded a %(...) link abbrev even
when the abbrev specified an unsafe function, such as
shell-command-to-string.

This could lead to arbitrary code execution as soon as an Org-mode
format file was opened, including one embedded in an e-mail message.

For Debian 10 buster, these problems have been fixed in version
9.1.14+dfsg-3+deb10u3.

We recommend that you upgrade your org-mode packages.

For the detailed security status of org-mode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/org-mode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3848-1: org-mode Security Advisory Updates

June 29, 2024

A vulnerability was discovered in Org-mode, a GNU Emacs major mode for keeping notes, authoring documents, and maintaining to-do lists

Summary

The org-link-expand-abbrev function expanded a %(...) link abbrev even
when the abbrev specified an unsafe function, such as
shell-command-to-string.

This could lead to arbitrary code execution as soon as an Org-mode
format file was opened, including one embedded in an e-mail message.

For Debian 10 buster, these problems have been fixed in version
9.1.14+dfsg-3+deb10u3.

We recommend that you upgrade your org-mode packages.

For the detailed security status of org-mode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/org-mode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Severity

Package : org-mode

Version : org-mode 9.1.14+dfsg-3+deb10u3

CVE ID : CVE-2024-39331

Debian Bug : 1074136

Related News

34.Key AbstractDigital Esm H170

Mallox Ransomware: A Rising Threat to Linux Servers

2 - 4 min read

Jul 04, 2024

Security threats continue developing rapidly, with attackers finding new vulnerabilities daily. Recent findings from researchers at Uptycs indicate

32.Lock Code Circular Esm H170

Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems

2 - 4 min read

Jul 03, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

1.Penguin Landscape Esm H170

Embracing Digital Independence: The Case for Switching to Linux from Windows

2 - 3 min read

Jul 03, 2024

On Independence Day, there is a deep recognition of digital autonomy amidst the colorful fireworks displays and patriotic revelry. At LinuxSecurity,

20.Lock AbstractDigital Circular Esm H170

CISA Adds New Chromium Zero-Day Bug to its Known Exploited Vulnerability Catalog

2 - 3 min read

Jul 03, 2024

Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other

11.Locks IsometricPattern Esm H170

Exploring Linux Mint 22 'Wilma': Key Updates and Security Improvements for Admins

2 - 4 min read

Jul 02, 2024

Linux Mint is a user-friendly GNU/Linux desktop distribution built upon Ubuntu and Debian for maximum reliability while offering an aesthetically

32.Lock Code Circular Esm H170

Recent OpenSSH RCE Bug Explained: Impact & Mitigations

2 - 4 min read

Jul 01, 2024

In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’

27.Tablet Connections Blocks Lock Esm H170

Debian 12.6 Released: Understanding the Security & Stability Enhancements

2 - 4 min read

Jul 01, 2024

Debian recently unveiled a significant update to its stable distribution, Debian 12.6 (codename "bookworm"). While not an entirely new release, this

8.Locks HexConnections CodeGlobe Esm H170

Canonical's Game-Changing Move: 12-Year LTS for Distroless Docker Images

2 - 4 min read

Jun 28, 2024

Canonical has made headlines with its groundbreaking long-term support (LTS) service offering to extend far beyond Ubuntu deb packages, promising 12

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved