Patch R 4.0.0 - R 4.3.3 for CVE-2024-27322 #219
Conversation
We also update the NEWS file, so by grepping for 'CVE-2024-27322' one can tell if the patched version is installed or not.
|
That |
No, no need to reinstall packages. What you see above is not our patch, it is the regular R NEWS, and what they mean is that if you installed packages for earlier versions of R (i.e. 3.6.x or earlier in this case), you cannot use those with R 4.0.0. But sensible people install packages into libraries that are specific for a certain (minor) R version, so in practice no need to reinstall anything. |
Ah, yes. Definitely a standard expectation for us. |
At install time the other NEWS files will be re-generated from NEWS.Rd. To check if your R version is patched, search for 'CVE-2024-27322' in the NEWS. From the command line: ``` grep -C 5 CVE-2024-27322 /opt/R/4.0.0/lib/R/doc/NEWS ``` From R: ``` options(browser = "false") news(grepl("CVE-2024-27322", Text)) ```
|
@glin OK, this should be better now. All the other NEWS files ( To check if your R version is patched, search for CVE-2024-27322' in the NEWS. From the command line: grep -C 5 CVE-2024-27322 /opt/R/4.0.0/lib/R/doc/NEWSFrom R: options(browser = "false")
news(grepl("CVE-2024-27322", Text))(I am not sure why the URL does not show up in R, probably an R bug.) |
|
@gaborcsardi Yeah it seems like an R bug. At least with 4.3.3, the URL shows up correctly: > options(browser = "false")
> news(grepl("CVE-2024-27322", Text))
Changes in version 4.3.3
CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>
o readRDS() and unserialize() now signal an error instead of
returning a PROMSXP, to fix CVE-2024-27322. |
We also update the NEWS file, so by grepping for
'CVE-2024-27322' one can tell if the patched version is installed or not.