X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/b8b0668e85eb3b3350904068eb8d29d499d4e980..bec617b934dc2ef90b7acd1c7ef4b5db74821e91:/NEWS

diff --git a/NEWS b/NEWS
index c9db11ad..91220e72 100644
--- a/NEWS
+++ b/NEWS
@@ -2,12 +2,18 @@ NEWS for rsync 2.6.6 (UNRELEASED)
 Protocol: 29 (unchanged)
 Changes since 2.6.5:
 
+  SECURITY FIXES:
+
+    - Applied a zlib fix to block a buffer overflow in the decompression
+      code.  Only affects a daemon if it allows uploads and does not refuse
+      the --compress option.
+
   BUG FIXES:
 
     - The setting of flist->high in clean_flist() was wrong for an empty list.
       This could cause flist_find() to crash in certain rare circumstances
       (e.g. if just the right directory setup was around when --fuzzy was
-      combined with --list-dest).
+      combined with --link-dest).
 
     - The outputting of hard-linked files when verbosity was > 1 was not right:
       without -i it would output the name of each hard-linked file as though
@@ -17,7 +23,7 @@ Changes since 2.6.5:
       totally unchanged items).
 
     - When backing up a changed symlink or device, get rid of any old backup
-      item so that we don't get an already-exists error.
+      item so that we don't get an "already exists" error.
 
     - A couple places that were comparing a local and a remote modification-
       time were not honoring the --modify-window option.
@@ -28,6 +34,10 @@ Changes since 2.6.5:
       ended in either a trailing slash or a trailing "/.", and a non-existing
       destination dir to tickle the bug in a recent version).
 
+    - If the user specifies a remote-host for both the source and destination,
+      we now output a syntax error rather than trying to open the destination
+      hostspec as a filename.
+
   ENHANCEMENTS:
 
     - Made the "max verbosity" setting in the rsyncd.conf file settable on a
@@ -38,6 +48,9 @@ Changes since 2.6.5:
       also changed to try to be more secure and to fix a problem in the parsing
       of a pull operation that has multiple sources.
 
+    - Upgraded the zlib code from 1.1.4 to 1.2.2 (plus the security fix
+      mentioned above).
+
   BUILD CHANGES:
 
     - Made configure define NOBODY_USER (currently hard-wired to "nobody") and