From df3f18acf0d4fae14f26c9de0c9675736aff0eb5 Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Mon, 5 Aug 2019 00:32:11 +0100
Subject: changelog: include security updates

---
 docs/changelog.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/changelog.md b/docs/changelog.md
index e5eaf0794..563c5c9c8 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -22,6 +22,16 @@ v0.28 + 1
 * libgit2 can now correctly cope with URLs where the host contains a colon
   but a port is not specified.  (eg `http://example.com:/repo.git`).
 
+* A carefully constructed commit object with a very large number
+  of parents may lead to potential out-of-bounds writes or
+  potential denial of service.
+
+* The ProgramData configuration file is always read for compatibility
+  with Git for Windows and Portable Git installations.  The ProgramData
+  location is not necessarily writable only by administrators, so we
+  now ensure that the configuration file is owned by the administrator
+  or the current user.
+
 v0.28
 -----
 
-- 
cgit v1.2.1