As a general matter, security holes are usually not advertised by detailing them in the NEWS file.
The disclosure of such things goes on a different schedule, typically _after_ binaries are out, at which point editing the NEWS file is too late. There are other things that do not go into NEWS: Documentation fixups, etc. What does go in is end-user visible functional changes and items that have an explicit PR# against them. - Peter D. > On 1 May 2024, at 18:57 , Howard, Tim G (DEC) via R-help > <r-help@r-project.org> wrote: > > All, > There seems to be a hullaboo about a vulnerability in R when deserializing > untrusted data: > > https://hiddenlayer.com/research/r-bitrary-code-execution > > https://nvd.nist.gov/vuln/detail/CVE-2024-27322 > > https://www.kb.cert.org/vuls/id/238194 > > > Apparently a fix was made for R 4.4.0, but I see no mention of it in the > changes report: > > https://cloud.r-project.org/bin/windows/base/NEWS.R-4.4.0.html > > Is this real? Were there changes in R 4.4.0 that aren't reported? > > Of course, we should *always* update to the most recent version, but I was > confused why it wasn't mentioned in the release info. > > Thanks, > Tim > > ______________________________________________ > R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code. -- Peter Dalgaard, Professor, Center for Statistics, Copenhagen Business School Solbjerg Plads 3, 2000 Frederiksberg, Denmark Phone: (+45)38153501 Office: A 4.23 Email: pd....@cbs.dk Priv: pda...@gmail.com ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
