X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/f3ee72689411e4e871ffb18aba66b08ef2c2c594..cc637fcc5136e5fa9d2f1593247760c0ac6eb597:/NEWS

diff --git a/NEWS b/NEWS
index 0a5c8cdf..7bb1d6b7 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,12 @@ NEWS for rsync 2.6.6 (UNRELEASED)
 Protocol: 29 (unchanged)
 Changes since 2.6.5:
 
+  SECURITY FIXES:
+
+    - Applied a zlib fix to block a buffer overflow in the decompression
+      code.  Only affects a daemon if it allows uploads and does not refuse
+      the --compress option.
+
   BUG FIXES:
 
     - The setting of flist->high in clean_flist() was wrong for an empty list.
@@ -17,7 +23,7 @@ Changes since 2.6.5:
       totally unchanged items).
 
     - When backing up a changed symlink or device, get rid of any old backup
-      item so that we don't get an already-exists error.
+      item so that we don't get an "already exists" error.
 
     - A couple places that were comparing a local and a remote modification-
       time were not honoring the --modify-window option.
@@ -38,6 +44,9 @@ Changes since 2.6.5:
       also changed to try to be more secure and to fix a problem in the parsing
       of a pull operation that has multiple sources.
 
+    - Upgraded the zlib code from 1.1.4 to 1.2.2 (plus the security fix
+      mentioned above).
+
   BUILD CHANGES:
 
     - Made configure define NOBODY_USER (currently hard-wired to "nobody") and