As a general matter, security holes are usually not advertised by detailing
them in the NEWS file.
The disclosure of such things goes on a different schedule, typically _after_
binaries are out, at which point editing the NEWS file is too late.
There are other things that do not go into NEWS:
В Wed, 1 May 2024 16:57:18 +
"Howard, Tim G \(DEC\) via R-help" пишет:
> Is this real?
Yes, but with a giant elephant in the room that many are overlooking.
It has actually always been much worse.
Until R-4.4.0, there used to be a way for readRDS() to return an
unevaluated "promise object".
All,
There seems to be a hullaboo about a vulnerability in R when deserializing
untrusted data:
https://hiddenlayer.com/research/r-bitrary-code-execution
https://nvd.nist.gov/vuln/detail/CVE-2024-27322
https://www.kb.cert.org/vuls/id/238194
Apparently a fix was made for R 4.4.0, but I see no
3 matches
Mail list logo