Update NEWS. * NEWS: Update. Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>

commit: 71c8c45600c381c6c54451ce67e373ac93d5d0c4 [log] [tgz]
author: Ralf Wildenhues <Ralf.Wildenhues@gmx.de> Tue Dec 08 22:33:21 2009 +0100
committer: Ralf Wildenhues <Ralf.Wildenhues@gmx.de> Tue Dec 08 22:34:40 2009 +0100
tree: 892cca2da2a47a50a22c4cd71eb5fca062dff37a
parent: b1c42762931e9cd03aee3e4b4284dc2920c9eabc [diff]
diff --git a/ChangeLog b/ChangeLog
index 760bcb4..35a4fe3 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,3 +1,7 @@
+2009-12-08  Ralf Wildenhues  <Ralf.Wildenhues@gmx.de>
+
+	* NEWS: Update.
+
 2009-11-28  Jim Meyering  <meyering@redhat.com>
 
 	do not put world-writable directories in distribution tarballs

diff --git a/NEWS b/NEWS
index af79eff..e0b47d7 100644
--- a/NEWS
+++ b/NEWS

@@ -1,5 +1,8 @@
 New in 1.5.1a:
 * The distribution is tarred up with mode 755 now by the `dist*' targets.
+  This fixes a race condition where untrusted users could modify files
+  in the $(PACKAGE)-$(VERSION) distdir before packing if the toplevel
+  build directory was world-searchable.  This is CVE-2009-4029.
 
 New in 1.5:
 * Support for `configure.ac'.
commit	71c8c45600c381c6c54451ce67e373ac93d5d0c4	[log] [tgz]
author	Ralf Wildenhues <Ralf.Wildenhues@gmx.de>	Tue Dec 08 22:33:21 2009 +0100
committer	Ralf Wildenhues <Ralf.Wildenhues@gmx.de>	Tue Dec 08 22:34:40 2009 +0100
tree	892cca2da2a47a50a22c4cd71eb5fca062dff37a
parent	b1c42762931e9cd03aee3e4b4284dc2920c9eabc [diff]