From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.devel Subject: Re: Emacs 28.3 Release Date: Mon, 10 Apr 2023 22:33:08 +0800 Message-ID: References: <9ea47b22-f2d8-4225-b5f2-966ca0d797f9@Spark> <83r0src1rc.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-8sfQA2tyyyOjd6fDBUwv" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="4762"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) Cc: emacs-devel@gnu.org, stefankangas@gmail.com To: Eli Zaretskii , Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Apr 10 16:34:05 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1plsaq-0000ya-UN for ged-emacs-devel@m.gmane-mx.org; Mon, 10 Apr 2023 16:34:05 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1plsaL-0002W5-Ux; Mon, 10 Apr 2023 10:33:33 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1plsaK-0002Us-12 for emacs-devel@gnu.org; Mon, 10 Apr 2023 10:33:32 -0400 Original-Received: from out203-205-221-164.mail.qq.com ([203.205.221.164]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1plsaF-0004qT-Er; Mon, 10 Apr 2023 10:33:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1681137191; bh=1hzq5+wvatEElMB8+gtyyKO2OINrEFR8Le3Hdqtpw/o=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=H082vSQJeSYGwUuePlGqo3XNwbvlBwwXDjeeK9l0p88/fjXNc3dpcgsE1eIAKgigY 1DhYYpepeg925FEiv9oV30TdPdbMbQz8Elvys7OSwhJdxJdHYlpOm1f1g5N2geQCNu 9DcSIUyo17wvN5wSqrjQ1plAEhKDLiuCDKHOkA78= Original-Received: from [192.168.31.100] ([171.88.188.99]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id 8483F262; Mon, 10 Apr 2023 22:33:08 +0800 X-QQ-mid: xmsmtpt1681137188tg728eh4o X-QQ-XMAILINFO: MR/iVh5QLeiehi2au3OcyU6A8DTFBVwFExTrr2QiAenNygHKnz41LFxAE46qJ4 SDxcVy3bdFHEux2clqtKYbWdObujkYFQoODnUrXfxL8UFCOdsP2Tswg7auR+s+kCtNBdShpb8bh9 2n1Z4qLrCaBHkBTHE6fG7tlsPuXW7GuEh+OsBCr5piR3QoEoKpit+KcO7RR8mz3bCSKoiyHkjuMN x8yf4kIlNdISHRGAK4ZQs/R6xA9v6As7nVcJxg+1s5+bIEmfmaI2zZBd23ct5sBfFBfr+ibPGOz+ w6RfH9VN5MAKUAN3U1iPRTT/RpfdrF7sRA7ZS7y11MZ/bzEDVocDveMPIvhp5XKzGu5H1iNyp21y L7G0PTqZdXK3PnMlrSwcp+GCiIyxm8pfhUVI3K0a08h/8FEiG6Fo1VjYuyTSv8/37gRKkpaL+W4m L7J7gWe7KCc2VOVWSucIqLk9zWy/LXgOREJ4a1OYr8TNjv3bQYALXi5iWmGb4LvW46YqsuoVTqa9 ldP/E8w+T3/9/C+ur6Sjf1gTu320ZZjPK+R0IbX64rI6gdmNxnbmzhEdCMZ+BYfZYg+j09dR/4h2 sjSlCvoYgmrrIZZUZV8gfiCp9srKVp6kDu0hXWsSgQOLAjKjfVkry3DxLBDGx48DFFE+4t1oYyUe RP4hQA7YZNohoRcXGtz/o7lPP1KLbf1fDSnQXzu/SVOiuf7ZhNcgMl1hugwvMSpFfLbOFlJmqgMu ej0MqgLq+/lk8+deo8D6u74e1e6k6fPY4PgBqiWllmnn7aDAPzTyE5SYfgjZ1LX0JZ3O8RhEFx9X cK/fC7oLQqdL7HDz9Zakc2GShB67t3Lnmg+yN/cb X-OQ-MSGID: <61d48cafe58a57c3f8ba948f6177729cbc4e1dc7.camel@shellcodes.org> In-Reply-To: <83r0src1rc.fsf@gnu.org> Received-SPF: none client-ip=203.205.221.164; envelope-from=lx@shellcodes.org; helo=out203-205-221-164.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305223 Archived-At: --=-8sfQA2tyyyOjd6fDBUwv Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2023-04-10 at 16:20 +0300, Eli Zaretskii wrote: > > Date: Mon, 10 Apr 2023 08:05:04 -0500 > > From: Troy Hinckley > >=20 > > I am asking again what we can do to complete the Emacs 28.3 > > release. My concern is that we have a > > narrow window in which this version will be viable. As it currently > > stands the latest stable release has a > > high severity CVE that prevents Emacs from being installed in > > security sensitive domains. 28.3 will > > resolve that and make the latest stable release usable. However, > > someone will inevitably find another > > CVE against Emacs. At that point 28.3 will no longer be useful. > > Given how hard it has been to get this > > release, I doubt there would be resources to add another security > > patch to Emacs 28.=20 > >=20 > > I am requesting to see if there is anything the community can do to > > help complete this release before > > it becomes irrelevant. The release candidate has been out for > > couple months at this point. >=20 > Stefan was working on 28.3, prepared an RC, and is silent for the > last > 4 weeks or so.=C2=A0 I think any work on this should pick up where he lef= t > off, but for that we need him to tell us where he left off... >=20 There are new security patches, CVE-2023-28617, CVE-2023-27985 and CVE- 2023-27986. If Emacs 28.3 is to be released, I suggest it should be applied. But, where is Stefan? --=-8sfQA2tyyyOjd6fDBUwv Content-Disposition: attachment; filename="0001-Fix-CVE-2023-28617.patch" Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-Fix-CVE-2023-28617.patch"; charset="UTF-8" RnJvbSBjZGU0Y2FlY2ZmNzJiY2QzZTQ1ODE4ODM4MzEyMjE4ZGVkYzZlMmYxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IE1vbiwg MTAgQXByIDIwMjMgMjI6MjM6MDkgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggQ1ZFLTIwMjMt Mjg2MTcuCgotLS0KIGxpc3Avb3JnL29iLWxhdGV4LmVsIHwgMTUgKysrKysrLS0tLS0tLS0tCiAx IGZpbGUgY2hhbmdlZCwgNiBpbnNlcnRpb25zKCspLCA5IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdp dCBhL2xpc3Avb3JnL29iLWxhdGV4LmVsIGIvbGlzcC9vcmcvb2ItbGF0ZXguZWwKaW5kZXggZDlk NjZhZGU1NmYuLmYyYWI5YjE2Yzc4IDEwMDY0NAotLS0gYS9saXNwL29yZy9vYi1sYXRleC5lbAor KysgYi9saXNwL29yZy9vYi1sYXRleC5lbApAQCAtMTY3LDcgKzE2Nyw3IEBAIG9yZy1iYWJlbC1l eGVjdXRlOmxhdGV4CiAJICAgICAgICAgICAgICAgICAgICAgdG1wLXBkZgogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAobGlzdCBvcmctYmFiZWwtbGF0ZXgtcGRmLXN2Zy1wcm9jZXNzKQog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBleHRlbnNpb24gZXJyLW1zZyBsb2ctYnVmKSkp Ci0gICAgICAgICAgICAgIChzaGVsbC1jb21tYW5kIChmb3JtYXQgIm12ICVzICVzIiBpbWctb3V0 IG91dC1maWxlKSkpKSkKKyAgICAgICAgICAgICAgKHJlbmFtZS1maWxlIGltZy1vdXQgb3V0LWZp bGUgdCkpKSkKICAgICAgICAgICgoc3RyaW5nLXN1ZmZpeC1wICIudGlreiIgb3V0LWZpbGUpCiAJ ICAod2hlbiAoZmlsZS1leGlzdHMtcCBvdXQtZmlsZSkgKGRlbGV0ZS1maWxlIG91dC1maWxlKSkK IAkgICh3aXRoLXRlbXAtZmlsZSBvdXQtZmlsZQpAQCAtMjA1LDE3ICsyMDUsMTQgQEAgb3JnLWJh YmVsLWV4ZWN1dGU6bGF0ZXgKIAkgICAgKGlmIChzdHJpbmctc3VmZml4LXAgIi5zdmciIG91dC1m aWxlKQogCQkocHJvZ24KIAkJICAoc2hlbGwtY29tbWFuZCAicHdkIikKLQkJICAoc2hlbGwtY29t bWFuZCAoZm9ybWF0ICJtdiAlcyAlcyIKLQkJCQkJIChjb25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4 dGVuc2lvbiB0ZXgtZmlsZSkgIi0xLnN2ZyIpCi0JCQkJCSBvdXQtZmlsZSkpKQorICAgICAgICAg ICAgICAgICAgKHJlbmFtZS1maWxlIChjb25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4dGVuc2lvbiB0 ZXgtZmlsZSkgIi0xLnN2ZyIpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb3V0LWZp bGUgdCkpCiAJICAgICAgKGVycm9yICJTVkcgZmlsZSBwcm9kdWNlZCBidXQgSFRNTCBmaWxlIHJl cXVlc3RlZCIpKSkKIAkgICAoKGZpbGUtZXhpc3RzLXAgKGNvbmNhdCAoZmlsZS1uYW1lLXNhbnMt ZXh0ZW5zaW9uIHRleC1maWxlKSAiLmh0bWwiKSkKIAkgICAgKGlmIChzdHJpbmctc3VmZml4LXAg Ii5odG1sIiBvdXQtZmlsZSkKLQkJKHNoZWxsLWNvbW1hbmQgIm12ICVzICVzIgotCQkJICAgICAg IChjb25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4dGVuc2lvbiB0ZXgtZmlsZSkKLQkJCQkgICAgICAg Ii5odG1sIikKLQkJCSAgICAgICBvdXQtZmlsZSkKLQkgICAgICAoZXJyb3IgIkhUTUwgZmlsZSBw cm9kdWNlZCBidXQgU1ZHIGZpbGUgcmVxdWVzdGVkIikpKSkpCisgICAgICAgICAgICAgICAgKHJl bmFtZS1maWxlIChjb25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4dGVuc2lvbiB0ZXgtZmlsZSkgIi5o dG1sIikKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb3V0LWZpbGUgdCkKKyAgICAgICAg ICAgICAgKGVycm9yICJIVE1MIGZpbGUgcHJvZHVjZWQgYnV0IFNWRyBmaWxlIHJlcXVlc3RlZCIp KSkpKQogCSAoKG9yIChzdHJpbmc9ICJwZGYiIGV4dGVuc2lvbikgaW1hZ2VtYWdpY2spCiAJICAo d2l0aC10ZW1wLWZpbGUgdGV4LWZpbGUKIAkgICAgKHJlcXVpcmUgJ294LWxhdGV4KQotLSAKMi4z OS4yCgo= --=-8sfQA2tyyyOjd6fDBUwv Content-Disposition: attachment; filename="0001-Fix-CVE-2023-27985-and-CVE-2023-27986.patch" Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-Fix-CVE-2023-27985-and-CVE-2023-27986.patch"; charset="UTF-8" RnJvbSBiNThiMzUzMjJiODE0MmZhMjJmOTk2MjRhZGZjMDI0MDk4ZTYwNDBjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IE1vbiwg MTAgQXByIDIwMjMgMjI6MjY6NTMgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggQ1ZFLTIwMjMt Mjc5ODUgYW5kIENWRS0yMDIzLTI3OTg2LgoKLS0tCiBldGMvZW1hY3NjbGllbnQtbWFpbC5kZXNr dG9wIHwgNyArKysrKy0tCiAxIGZpbGUgY2hhbmdlZCwgNSBpbnNlcnRpb25zKCspLCAyIGRlbGV0 aW9ucygtKQoKZGlmZiAtLWdpdCBhL2V0Yy9lbWFjc2NsaWVudC1tYWlsLmRlc2t0b3AgYi9ldGMv ZW1hY3NjbGllbnQtbWFpbC5kZXNrdG9wCmluZGV4IGI1NzVhNDE3NThhLi4wYTI0MjBkZGVhZCAx MDA2NDQKLS0tIGEvZXRjL2VtYWNzY2xpZW50LW1haWwuZGVza3RvcAorKysgYi9ldGMvZW1hY3Nj bGllbnQtbWFpbC5kZXNrdG9wCkBAIC0xLDcgKzEsMTAgQEAKIFtEZXNrdG9wIEVudHJ5XQogQ2F0 ZWdvcmllcz1OZXR3b3JrO0VtYWlsOwogQ29tbWVudD1HTlUgRW1hY3MgaXMgYW4gZXh0ZW5zaWJs ZSwgY3VzdG9taXphYmxlIHRleHQgZWRpdG9yIC0gYW5kIG1vcmUKLUV4ZWM9c2ggLWMgImV4ZWMg ZW1hY3NjbGllbnQgLS1hbHRlcm5hdGUtZWRpdG9yPSAtLWRpc3BsYXk9XFwiXFwkRElTUExBWVxc IiAtLWV2YWwgXFxcXChtZXNzYWdlLW1haWx0b1xcXFwgXFxcXFxcIiV1XFxcXFxcIlxcXFwpIgor IyBXZSB3YW50IHRvIHBhc3MgdGhlIGZvbGxvd2luZyBjb21tYW5kcyB0byB0aGUgc2hlbGwgd3Jh cHBlcjoKKyMgdT0kKGVjaG8gIiQxIiB8IHNlZCAncy9bXCJdL1xcJi9nJyk7IGV4ZWMgZW1hY3Nj bGllbnQgLS1hbHRlcm5hdGUtZWRpdG9yPSAtLWRpc3BsYXk9IiRESVNQTEFZIiAtLWV2YWwgIiht ZXNzYWdlLW1haWx0byBcIiR1XCIpIgorIyBTcGVjaWFsIGNoYXJzICciJywgJyQnLCBhbmQgJ1wn IG11c3QgYmUgZXNjYXBlZCBhcyAnXFwiJywgJ1xcJCcsIGFuZCAnXFxcXCcuCitFeGVjPXNoIC1j ICJ1PVxcJChlY2hvIFxcIlxcJDFcXCIgfCBzZWQgJ3MvW1xcXFxcXCJdL1xcXFxcXFxcJi9nJyk7 IGV4ZWMgZW1hY3NjbGllbnQgLS1hbHRlcm5hdGUtZWRpdG9yPSAtLWRpc3BsYXk9XFwiXFwkRElT UExBWVxcIiAtLWV2YWwgXFwiKG1lc3NhZ2UtbWFpbHRvIFxcXFxcXCJcXCR1XFxcXFxcIilcXCIi IHNoICV1CiBJY29uPWVtYWNzCiBOYW1lPUVtYWNzIChNYWlsLCBDbGllbnQpCiBNaW1lVHlwZT14 LXNjaGVtZS1oYW5kbGVyL21haWx0bzsKQEAgLTEzLDcgKzE2LDcgQEAgQWN0aW9ucz1uZXctd2lu ZG93O25ldy1pbnN0YW5jZTsKIAogW0Rlc2t0b3AgQWN0aW9uIG5ldy13aW5kb3ddCiBOYW1lPU5l dyBXaW5kb3cKLUV4ZWM9ZW1hY3NjbGllbnQgLS1hbHRlcm5hdGUtZWRpdG9yPSAtLWNyZWF0ZS1m cmFtZSAtLWV2YWwgIihtZXNzYWdlLW1haWx0byBcXCIldVxcIikiCitFeGVjPXNoIC1jICJ1PVxc JChlY2hvIFxcIlxcJDFcXCIgfCBzZWQgJ3MvW1xcXFxcXCJdL1xcXFxcXFxcJi9nJyk7IGV4ZWMg ZW1hY3NjbGllbnQgLS1hbHRlcm5hdGUtZWRpdG9yPSAtLWNyZWF0ZS1mcmFtZSAtLWV2YWwgXFwi KG1lc3NhZ2UtbWFpbHRvIFxcXFxcXCJcXCR1XFxcXFxcIilcXCIiIHNoICV1CiAKIFtEZXNrdG9w IEFjdGlvbiBuZXctaW5zdGFuY2VdCiBOYW1lPU5ldyBJbnN0YW5jZQotLSAKMi4zOS4yCgo= --=-8sfQA2tyyyOjd6fDBUwv--