doc: mention the fix for CVE-2010-4651

* NEWS: Mention the fix.
author: Jim Meyering <meyering@redhat.com> 2011-02-03 22:46:58 +0100
committer: Andreas Gruenbacher <agruen@linbit.com> 2011-02-03 23:08:03 +0100
commit: 4c3004c17fa72b5b87a1eec29ad41cd6549d0017 (patch)
tree: 3b98d7c38a7b259422b8ebe248133662c7e1184b /NEWS
parent: 685a78b6052f4df6eac6d625a545cfb54a6ac0e1 (diff)
download: patch-4c3004c17fa72b5b87a1eec29ad41cd6549d0017.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index c727782..65d3796 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,5 @@
+* patch now rejects a destination file name that is absolute or that contains
+  a component of "..".  This addresses CVE-2010-4651,
 * Support for most features of the "diff --git" format: renames and copies,
   permission changes, symlink diffs.  Caveats:
   + Binary diffs are not supported yet; patch will complain and skip them.
author	Jim Meyering <meyering@redhat.com>	2011-02-03 22:46:58 +0100
committer	Andreas Gruenbacher <agruen@linbit.com>	2011-02-03 23:08:03 +0100
commit	4c3004c17fa72b5b87a1eec29ad41cd6549d0017 (patch)
tree	3b98d7c38a7b259422b8ebe248133662c7e1184b /NEWS
parent	685a78b6052f4df6eac6d625a545cfb54a6ac0e1 (diff)
download	patch-4c3004c17fa72b5b87a1eec29ad41cd6549d0017.tar.gz