Mention CVE-2014-4043 in NEWS

author Allan McRae <allan@archlinux.org>

Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)

committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>

Fri, 16 Jan 2015 12:07:18 +0000 (07:07 -0500)
author Allan McRae <allan@archlinux.org>
Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Fri, 16 Jan 2015 12:07:18 +0000 (07:07 -0500)
diff --git a/ChangeLog b/ChangeLog

index e24271c45d2fab65eac9dd36026488ce9c6e8e91..3a38309ee101db00aa810dab3bdc0f1ec3385057 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-21  Allan McRae  <allan@archlinux.org>
+
+       * NEWS: Mention CVE-2014-4043.
+
  2014-06-11  Florian Weimer  <fweimer@redhat.com>
  
         [BZ #17048]
diff --git a/NEWS b/NEWS

index fa6caeb75a57de628ffe91bf68a6043f5dc4af13..8fc3cf871d3513161c9ceae86dd96cf4694ac154 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,12 @@ Version 2.18.1
  
  * Support for powerpc64le has been added.
  
+* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
+  copy the path argument.  This allowed programs to cause posix_spawn to
+  deference a dangling pointer, or use an unexpected pathname argument if
+  the string was modified after the posix_spawn_file_actions_addopen
+  invocation.
+
  * Locale names, including those obtained from environment variables (LANG
    and the LC_* variables), are more tightly checked for proper syntax.
    setlocale will now fail (with EINVAL) for locale names that are overly
author	Allan McRae <allan@archlinux.org>
	Sat, 21 Jun 2014 07:23:55 +0000 (17:23 +1000)
committer	Adhemerval Zanella <azanella@linux.vnet.ibm.com>
	Fri, 16 Jan 2015 12:07:18 +0000 (07:07 -0500)
ChangeLog		patch \| blob \| blame \| history
NEWS		patch \| blob \| blame \| history