Commit d07fd347 authored by Paul Eggert's avatar Paul Eggert

* etc/NEWS.25: Copy from emacs-25 etc/NEWS.

parent cb80fd0d
......@@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n.
* Changes in Emacs 25.3
This is mainly a release to fix security-relevant bugs.
This is an emergency release to fix a security vulnerability in Emacs.
** Enriched text mode no longer supports the 'FUNCTION' and 'display'
translations, and Gnus no longer processes enriched text when
inlining. This fixes bugs introduced in Emacs 19.29. To work around
these bugs in Emacs versions 19.29 through 25.2, append the following
to your ~/.emacs file:
** Security vulnerability related to Enriched Text mode is removed.
(provide 'enriched)
(defun enriched-mode (&optional arg))
(defun enriched-decode (from to))
*** Enriched Text mode has its support for decoding 'x-display' disabled.
This feature allows saving 'display' properties as part of text.
Emacs 'display' properties support evaluation of arbitrary Lisp forms
as part of instantiating the property, so decoding 'x-display' is
vulnerable to executing arbitrary malicious Lisp code included in the
text (e.g., sent as part of an email message).
Thanks to Charles A. Roelli for reporting this bug; see:
https://bugs.gnu.org/28350
This vulnerability was introduced in Emacs 21.1. To work around that
in Emacs versions before 25.3, append the following to your ~/.emacs
init file:
** TLS/SSL connections no longer fall back on the openssl s_client
command to set up SSL connections in some hopefully-unlikely cases.
This fixes a bug introduced in Emacs 22.1. To work around this bug in
Emacs versions 22.1 through 25.2, append the following to your
~/.emacs file:
(eval-after-load "enriched"
'(defun enriched-decode-display-prop (start end &optional param)
(list start end)))
(setq tls-program '("gnutls-cli --x509cafile %t -p %p %h"))
You may need to omit the "--x509cafile %t" on older installations.
Thanks to Kurt Roeckx for reporting this bug to Debian; see:
https://bugs.debian.org/766397
*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
This support was disabled to avoid evaluation of arbitrary Lisp code
contained in email messages and news articles.
* Changes in Emacs 25.2
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment