Mention the security fix.

author Wayne Davison <wayned@samba.org>

Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)

committer Wayne Davison <wayned@samba.org>

Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)
author Wayne Davison <wayned@samba.org>
Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)
committer Wayne Davison <wayned@samba.org>
Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)
diff --git a/NEWS b/NEWS

index 8d38b97..290c72d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,14 @@ NEWS for rsync 2.6.3 (UNRELEASED)
  Protocol: 28 (unchanged)
  Changes since 2.6.2:
  
+  SECURITY FIXES:
+
+    - A bug in the sanitize_path routine (which affects a non-chrooted
+      rsync daemon) could allow a user to specify an absolute path for
+      certain options (but not for file-transfer names).  If you're running
+      a rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if
+      the user privs you run rsync under is anything above "nobody".
+
    OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
  
      - Please note that the 2-line footer (output when verbose) now uses the
author	Wayne Davison <wayned@samba.org>
	Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)
committer	Wayne Davison <wayned@samba.org>
	Thu, 12 Aug 2004 20:58:33 +0000 (20:58 +0000)