From 4c3004c17fa72b5b87a1eec29ad41cd6549d0017 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Thu, 3 Feb 2011 22:46:58 +0100
Subject: doc: mention the fix for CVE-2010-4651

* NEWS: Mention the fix.
---
 ChangeLog | 5 +++++
 NEWS      | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 20810cb..c213230 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-02-03  Jim Meyering  <meyering@redhat.com>
+
+	doc: mention the fix for CVE-2010-4651
+	* NEWS: Mention the fix.
+
 2011-02-01  Jim Meyering  <meyering@redhat.com>
 	and Andreas Gruenbacher <agruen@linbit.com>
 
diff --git a/NEWS b/NEWS
index c727782..65d3796 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,5 @@
+* patch now rejects a destination file name that is absolute or that contains
+  a component of "..".  This addresses CVE-2010-4651,
 * Support for most features of the "diff --git" format: renames and copies,
   permission changes, symlink diffs.  Caveats:
   + Binary diffs are not supported yet; patch will complain and skip them.
-- 
cgit v1.2.1