Update NEWS for CVE-2019-19126

author Florian Weimer <fweimer@redhat.com>

Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)

committer Florian Weimer <fweimer@redhat.com>

Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)
author Florian Weimer <fweimer@redhat.com>
Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)
committer Florian Weimer <fweimer@redhat.com>
Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)
diff --git a/NEWS b/NEWS

index 4ad7c47d5f4bc43fe5a302022c4ab552d1c9700d..6b3f4e077601063290e3a14c7a5911f9d4c24296 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,12 @@ Security related changes:
    via proceed_next_node in posix/regexec.c leads to heap-based buffer
    over-read.  Reported by Hongxu Chen.
  
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
  \f
  Version 2.29
author	Florian Weimer <fweimer@redhat.com>
	Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)
committer	Florian Weimer <fweimer@redhat.com>
	Fri, 22 Nov 2019 12:45:03 +0000 (13:45 +0100)