X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/82c6be7edfc5a5d198093b917ecb9fb5f7471406..8fb7db245a93fbf606fba4121c3e4dbbc462f362:/NEWS

diff --git a/NEWS b/NEWS
index 6bf3e4ef..290c72d8 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,14 @@ NEWS for rsync 2.6.3 (UNRELEASED)
 Protocol: 28 (unchanged)
 Changes since 2.6.2:
 
+  SECURITY FIXES:
+
+    - A bug in the sanitize_path routine (which affects a non-chrooted
+      rsync daemon) could allow a user to specify an absolute path for
+      certain options (but not for file-transfer names).  If you're running
+      a rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if
+      the user privs you run rsync under is anything above "nobody".
+
   OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
 
     - Please note that the 2-line footer (output when verbose) now uses the
@@ -158,8 +166,6 @@ Changes since 2.6.2:
     - The finished file now gets its permissions and modified-time updated
       before it gets moved into place.
 
-    - Lots of documentation improvements in the exclude/include sections.
-
   INTERNAL:
 
     - Some cleanup in the exclude code has saved some per-exclude memory