From df834b02d49220bdb3dcff82f6564d5c2c41e8d6 Mon Sep 17 00:00:00 2001
From: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
Date: Sun, 6 Dec 2009 16:23:47 +0100
Subject: [PATCH] Update NEWS.

* NEWS: Update.

Signed-off-by: Ralf Wildenhues <Ralf.Wildenhues@gmx.de>
---
 ChangeLog | 4 ++++
 NEWS      | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index ce2d912fe..defad733c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2009-12-06  Ralf Wildenhues  <Ralf.Wildenhues@gmx.de>
+
+	* NEWS: Update.
+
 2009-12-05  Antonio Diaz Diaz  <ant_diaz@teleline.es>
 
 	Replace unlzma, gunzip, bunzip2 with pack tool -d invocation.
diff --git a/NEWS b/NEWS
index cd427fbed..7ce9efd57 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@ New in 1.11.0a:
 
 Bugs fixed in 1.11.0a:
 
+  - Lots of minor bugfixes.
+
 * Bugs introduced by 1.11:
 
   - The `parallel-tests' test driver works around a GNU make 3.80 bug with
@@ -21,6 +23,11 @@ Bugs fixed in 1.11.0a:
   - AM_PROG_GCJ uses AC_CHECK_TOOLS to look for `gcj' now, so that prefixed
     tools are preferred in a cross-compile setup.
 
+  - The distribution is tarred up with mode 755 now by the `dist*' targets.
+    This fixes a race condition where untrusted users could modify files
+    in the $(PACKAGE)-$(VERSION) distdir before packing if the toplevel
+    build directory was world-searchable.  This is CVE-2009-4029.
+
 
 New in 1.11:
 
-- 
2.47.2