In the absence of a security list, and because the fix is not an update to a newer version: Users of latex should be aware that a new vulnerability was announced at the end of last month.
This also applies to those who installed latex from the binary and have not used tlmgr. I assume that new binary installs in the past few days have already included the fix, which is to remove mpost from the shell_escape_commands in texmf.cnf (my machine where I had a binary install is currently broken, can't check). Rather than alter the install to remove that line early on, in this case I have added a new command at the end of the source install, prefixed "Now, or if returning here because you were advised, fix a new vulnerability." Normally this sort of information would only be included in the Errata, and in the tickets (e.g. defect with priority high or greater). Because this does not seem to be as well known even as the current vulnerability to all kernels (local user privilege escalation), and the POC described it as pwning a co-worker's laptop, on this occasion I am mentioning it here. ĸen -- `I shall take my mountains', said Lu-Tze. `The climate will be good for them.' -- Small Gods -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
