From: Wayne Davison <wayned@samba.org>
Date: Thu, 12 Aug 2004 20:58:33 +0000 (+0000)
Subject: Mention the security fix.
X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/commitdiff_plain/8fb7db245a93fbf606fba4121c3e4dbbc462f362

Mention the security fix.
---

diff --git a/NEWS b/NEWS
index 8d38b97e..290c72d8 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,14 @@ NEWS for rsync 2.6.3 (UNRELEASED)
 Protocol: 28 (unchanged)
 Changes since 2.6.2:
 
+  SECURITY FIXES:
+
+    - A bug in the sanitize_path routine (which affects a non-chrooted
+      rsync daemon) could allow a user to specify an absolute path for
+      certain options (but not for file-transfer names).  If you're running
+      a rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if
+      the user privs you run rsync under is anything above "nobody".
+
   OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
 
     - Please note that the 2-line footer (output when verbose) now uses the