From 8fb7db245a93fbf606fba4121c3e4dbbc462f362 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayned@samba.org>
Date: Thu, 12 Aug 2004 20:58:33 +0000
Subject: [PATCH] Mention the security fix.

---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 8d38b97e..290c72d8 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,14 @@ NEWS for rsync 2.6.3 (UNRELEASED)
 Protocol: 28 (unchanged)
 Changes since 2.6.2:
 
+  SECURITY FIXES:
+
+    - A bug in the sanitize_path routine (which affects a non-chrooted
+      rsync daemon) could allow a user to specify an absolute path for
+      certain options (but not for file-transfer names).  If you're running
+      a rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if
+      the user privs you run rsync under is anything above "nobody".
+
   OUTPUT CHANGES (ATTN: those using a script to parse the verbose output):
 
     - Please note that the 2-line footer (output when verbose) now uses the
-- 
2.34.1