The Emacs extensible text editor (among other things) has made a security release to address two vulnerabilities. Emacs 30.1 has fixes for CVE-2025-1244, which is a shell-command-injection flaw in the man.el man page browser and for CVE-2024-53920, which is a code-execution vulnerability in the flymake syntax-checking mode. LWN covered the flymake problems back in December.
| From: | Stefan Kangas <stefankangas-AT-gmail.com> | |
| To: | emacs-devel-AT-gnu.org | |
| Subject: | Emacs 30.1 released | |
| Date: | Sun, 23 Feb 2025 17:41:38 +0000 | |
| Message-ID: | <CADwFkm=sxug7RYG0CL3Mty421NHVfhxOzuojd0+r4N34cfw8wg@mail.gmail.com> | |
| Archive-link: | Article |
Hi, Version 30.1 of Emacs, the extensible text editor, should now be available from your nearest GNU mirror: https://ftpmirror.gnu.org/emacs/emacs-30.1.tar.xz https://ftpmirror.gnu.org/emacs/emacs-30.1.tar.gz Emacs 30.1 includes security fixes for a shell injection vulnerability in man.el (CVE-2025-1244), and for arbitrary code execution with flymake (CVE-2024-53920). We recommend upgrading immediately. The tarballs are signed. You can find the PGP signature files at: https://ftpmirror.gnu.org/emacs/emacs-30.1.tar.xz.sig https://ftpmirror.gnu.org/emacs/emacs-30.1.tar.gz.sig You can choose a mirror explicitly from the list at: https://www.gnu.org/prep/ftp.html Mirrors may take some time to update; the main GNU ftp server is at: https://ftp.gnu.org/gnu/emacs/ -------------------------------------- To verify the integrity of the downloaded tarball, download both the tarball and the corresponding .sig file, and run this command: gpg --verify emacs-30.1.tar.xz.sig (and similarly for emacs-30.1.tar.gz, if you download that format). If the GPG command fails because you don't have the required PGP public key, run this command to import the key: gpg --keyserver keyserver.ubuntu.com --recv-keys \ CEA1DE21AB108493CC9C65742E82323B8F4353EE Alternative keyservers include pgp.mit.edu and keys.openpgp.org. You can also run sha1sum or sha256sum and confirm that these checksums match: SHA1 emacs-30.1.tar.gz 57c382f8cd2bd58b146b4b120ab8941f261b82b7 SHA1 emacs-30.1.tar.xz 668a302193c8a2aa62ba719b959fd8bb7754276d SHA256 emacs-30.1.tar.gz 54404782ea5de37e8fcc4391fa9d4a41359a4ba9689b541f6bc97dd1ac283f6c SHA256 emacs-30.1.tar.xz 6ccac1ae76e6af93c6de1df175e8eb406767c23da3dd2a16aa67e3124a6f138f ---------------------------------------- For a summary of changes in Emacs 30, see the etc/NEWS file in the tarball; you can view it from Emacs by typing 'C-h n', or by clicking Help->Emacs News from the menu bar. You can also browse NEWS online using this URL: https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS... For the complete list of changes and the people who made them, see the various ChangeLog files in the source distribution. For a summary of all the people who have contributed to Emacs, see the etc/AUTHORS file. For more information about Emacs, see: https://www.gnu.org/software/emacs
Attachment: signature.asc (type=application/pgp-signature)-----BEGIN PGP SIGNATURE----- iQFLBAEBCgA1FiEEuwLkB66eqofJ5yodLU4f6VlXE10FAme7XcMXHHN0ZWZhbmth bmdhc0BnbWFpbC5jb20ACgkQLU4f6VlXE120vQgAo3/ZgNT+s+DRG+9AVG7b4qmF Azysi2KKoMxAgpNZPk4Ca8A2y5RBj1jIZswhnmdq0K+txLgq8Wa32iIkKKoNb2cO CidfVoc1O7suYup9a8g9ON9WrWh65Gpui6xEt2TSWAhjMlxHOWlD+4r4I7G2lR5v yWvZzajAL2iDrNyzYduJwXLiwyRXq44dpsjdlcgP64H6n/wB04EjVLv1rdVrZ7IE okn401m9QwUZf856SWUDUbqvkVgjbSnrqV4Tptrur5kO49eJnP7aNSAn+7SLt/g0 17zA1ygcA48HDbn/0HTHcG5l+a99IFWqU/Il92Bk7Qk0H9UKla+jEQsudarD0Q== =t4A2 -----END PGP SIGNATURE-----