* etc/NEWS.25: Copy from emacs-25 etc/NEWS.

author: Paul Eggert 2017-09-12 12:55:29 -0700
committer: Paul Eggert 2017-09-12 12:56:26 -0700
commit: d07fd34722b84ae2c407f195c82d7632a94de704 (patch)
tree: 19b518c75dda4cef69274b762a4985502c3684de
parent: cb80fd0d5009f4ae246a55a5504173c08215eaa7 (diff)
download: emacs-d07fd34722b84ae2c407f195c82d7632a94de704.tar.gz
emacs-d07fd34722b84ae2c407f195c82d7632a94de704.zip
1 files changed, 17 insertions, 22 deletions
diff --git a/etc/NEWS.25 b/etc/NEWS.25
index db448fd61ac..be04b5fcdc3 100644
--- a/etc/NEWS.25
+++ b/etc/NEWS.25
@@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n.
 * Changes in Emacs 25.3
-This is mainly a release to fix security-relevant bugs.
+This is an emergency release to fix a security vulnerability in Emacs.
-** Enriched text mode no longer supports the 'FUNCTION' and 'display'
+** Security vulnerability related to Enriched Text mode is removed.
-translations, and Gnus no longer processes enriched text when
-inlining.  This fixes bugs introduced in Emacs 19.29.  To work around
-these bugs in Emacs versions 19.29 through 25.2, append the following
-to your ~/.emacs file:
-  (provide 'enriched)
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
-  (defun enriched-mode (&optional arg))
+This feature allows saving 'display' properties as part of text.
-  (defun enriched-decode (from to))
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
-Thanks to Charles A. Roelli for reporting this bug; see:
+This vulnerability was introduced in Emacs 21.1.  To work around that
-https://bugs.gnu.org/28350
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
-** TLS/SSL connections no longer fall back on the openssl s_client
+  (eval-after-load "enriched"
-command to set up SSL connections in some hopefully-unlikely cases.
+    '(defun enriched-decode-display-prop (start end &optional param)
-This fixes a bug introduced in Emacs 22.1.  To work around this bug in
+       (list start end)))
-Emacs versions 22.1 through 25.2, append the following to your
-~/.emacs file:
-  (setq tls-program '("gnutls-cli --x509cafile %t -p %p %h"))
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
-You may need to omit the "--x509cafile %t" on older installations.
+contained in email messages and news articles.
-Thanks to Kurt Roeckx for reporting this bug to Debian; see:
-https://bugs.debian.org/766397
 * Changes in Emacs 25.2
author	Paul Eggert	2017-09-12 12:55:29 -0700
committer	Paul Eggert	2017-09-12 12:56:26 -0700
commit	d07fd34722b84ae2c407f195c82d7632a94de704 (patch)
tree	19b518c75dda4cef69274b762a4985502c3684de
parent	cb80fd0d5009f4ae246a55a5504173c08215eaa7 (diff)
download	emacs-d07fd34722b84ae2c407f195c82d7632a94de704.tar.gz emacs-d07fd34722b84ae2c407f195c82d7632a94de704.zip

diff --git a/etc/NEWS.25 b/etc/NEWS.25 index db448fd61ac..be04b5fcdc3 100644 --- a/etc/NEWS.25 +++ b/etc/NEWS.25
@@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n.
18		18
19	* Changes in Emacs 25.3	19	* Changes in Emacs 25.3
20		20
21	This is mainly a release to fix security-relevant bugs.	21	This is an emergency release to fix a security vulnerability in Emacs.
22		22
23	** Enriched text mode no longer supports the 'FUNCTION' and 'display'	23	** Security vulnerability related to Enriched Text mode is removed.
24	translations, and Gnus no longer processes enriched text when
25	inlining. This fixes bugs introduced in Emacs 19.29. To work around
26	these bugs in Emacs versions 19.29 through 25.2, append the following
27	to your ~/.emacs file:
28		24
29	(provide 'enriched)	25	*** Enriched Text mode has its support for decoding 'x-display' disabled.
30	(defun enriched-mode (&optional arg))	26	This feature allows saving 'display' properties as part of text.
31	(defun enriched-decode (from to))	27	Emacs 'display' properties support evaluation of arbitrary Lisp forms
		28	as part of instantiating the property, so decoding 'x-display' is
		29	vulnerable to executing arbitrary malicious Lisp code included in the
		30	text (e.g., sent as part of an email message).
32		31
33	Thanks to Charles A. Roelli for reporting this bug; see:	32	This vulnerability was introduced in Emacs 21.1. To work around that
34	https://bugs.gnu.org/28350	33	in Emacs versions before 25.3, append the following to your ~/.emacs
		34	init file:
35		35
36	** TLS/SSL connections no longer fall back on the openssl s_client	36	(eval-after-load "enriched"
37	command to set up SSL connections in some hopefully-unlikely cases.	37	'(defun enriched-decode-display-prop (start end &optional param)
38	This fixes a bug introduced in Emacs 22.1. To work around this bug in	38	(list start end)))
39	Emacs versions 22.1 through 25.2, append the following to your
40	~/.emacs file:
41		39
42	(setq tls-program '("gnutls-cli --x509cafile %t -p %p %h"))	40	*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
43		41	This support was disabled to avoid evaluation of arbitrary Lisp code
44	You may need to omit the "--x509cafile %t" on older installations.	42	contained in email messages and news articles.
45
46	Thanks to Kurt Roeckx for reporting this bug to Debian; see:
47	https://bugs.debian.org/766397
48		43
49		44
50	* Changes in Emacs 25.2	45	* Changes in Emacs 25.2