Update NEWS. * NEWS: Update. Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>

commit: 7ba6e84e89677cb24d504a070e9387cbc74f8747 [log] [tgz]
author: Ralf Wildenhues <Ralf.Wildenhues@gmx.de> Tue Dec 08 22:31:37 2009 +0100
committer: Ralf Wildenhues <Ralf.Wildenhues@gmx.de> Tue Dec 08 22:31:37 2009 +0100
tree: 02fa640367c6b63b910bef66877da71ceeb8ec0d
parent: 365dc7e0b44579510f19f109f2db8d4a88891d0c [diff]
diff --git a/ChangeLog b/ChangeLog
index 8f3ea9c..1bb240f 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,3 +1,7 @@
+2009-12-08  Ralf Wildenhues  <Ralf.Wildenhues@gmx.de>
+
+	* NEWS: Update.
+
 2009-11-28  Jim Meyering  <meyering@redhat.com>
 
 	do not put world-writable directories in distribution tarballs

diff --git a/NEWS b/NEWS
index 998b161..2a317b2 100644
--- a/NEWS
+++ b/NEWS

@@ -3,6 +3,10 @@
 * Longstanding bugs:
 
   - The distribution is tarred up with mode 755 now by the `dist*' targets.
+    This fixes a race condition where untrusted users could modify files
+    in the $(PACKAGE)-$(VERSION) distdir before packing if the toplevel
+    build directory was world-searchable.  This is CVE-2009-4029.
+
 
 Bugs fixed in 1.9.6:
commit	7ba6e84e89677cb24d504a070e9387cbc74f8747	[log] [tgz]
author	Ralf Wildenhues <Ralf.Wildenhues@gmx.de>	Tue Dec 08 22:31:37 2009 +0100
committer	Ralf Wildenhues <Ralf.Wildenhues@gmx.de>	Tue Dec 08 22:31:37 2009 +0100
tree	02fa640367c6b63b910bef66877da71ceeb8ec0d
parent	365dc7e0b44579510f19f109f2db8d4a88891d0c [diff]