Update NEWS for CVE-2019-19126

[thirdparty/glibc.git] / NEWS

diff --git a/NEWS b/NEWS
index 4ad7c47d5f4bc43fe5a302022c4ab552d1c9700d..6b3f4e077601063290e3a14c7a5911f9d4c24296 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,12 @@ Security related changes:
   via proceed_next_node in posix/regexec.c leads to heap-based buffer
   over-read.  Reported by Hongxu Chen.
 
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
 \f
 Version 2.29