Subject: | |
From: | |
Reply To: | |
Date: | Wed, 20 Sep 2017 16:47:22 +1000 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Andrew
So much for security issue support for 10 years. Probably best to assume only 7 years in real life.
This is why I'm switching all our users over to SL7 MATE, now that SL6 is in its final phase.
Cheers
Bill
-----Original message-----
> From:Andrew C Aitchison <[log in to unmask]>
> Sent: Wednesday 20th September 2017 16:32
> To: [log in to unmask]
> Subject: emacs on SL6 - was Re: Security ERRATA Important: emacs on SL7.x x86_64
>
> On Tue, 19 Sep 2017, Pat Riehecky wrote:
>
> > Synopsis: Important: emacs security update
> > Advisory ID: SLSA-2017:2771-1
> > Issue Date: 2017-09-19
> > CVE Numbers: CVE-2017-14482
> > --
> >
> > Security Fix(es):
> >
> > * A command injection flaw within the Emacs "enriched mode" handling has
> > been discovered. By tricking an unsuspecting user into opening a specially
> > crafted file using Emacs, a remote attacker could exploit this flaw to
> > execute arbitrary commands with the privileges of the Emacs user.
> > (CVE-2017-14482)
>
> I see from https://access.redhat.com/security/cve/CVE-2017-14482
> that RedHat have marked this "wont fix" on RHEL6 and "investigating"
> on RHEL5, which seems odd - I'd have expected the other way around
> (unless a RHEL5 customer is paying for it).
>
> Yes, there is a workaround, but I imagine that emacs is commonly used
> on RHEL6 and SL6 servers and it only takes one careless mistake...
>
> How do other SL6 users feel about this "wont fix" ?
>
> I'm trying to write my own patch, but seem to be struggling to patch
> a file near a ctrl-L character ...
>
> --
> Andrew C. Aitchison Cambridge, UK
> [log in to unmask]
>
>
|
|
|