In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. References and upstream patch: https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 https://list.orgmode.org/87sex5gdqc.fsf%40localhost/ https://news.ycombinator.com/item?id=40768225 https://www.openwall.com/lists/oss-security/2024/06/23/1 https://www.openwall.com/lists/oss-security/2024/06/23/2 https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8
Created emacs tracking bugs for this issue: Affects: fedora-all [bug 2293944]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:4971 https://access.redhat.com/errata/RHSA-2024:4971
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:6203 https://access.redhat.com/errata/RHSA-2024:6203
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6510 https://access.redhat.com/errata/RHSA-2024:6510
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6987 https://access.redhat.com/errata/RHSA-2024:6987