docs: update v2.37.4-ReleaseNotes

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/Documentation/releases/v2.37.4-ReleaseNotes b/Documentation/releases/v2.37.4-ReleaseNotes
new file mode 100644 (file)
index 0000000..330ab09
--- /dev/null
+++ b/Documentation/releases/v2.37.4-ReleaseNotes
@@ -0,0 +1,15 @@
+util-linux 2.37.4 Release Notes
+===============================
+
+This release fixes security issue in chsh(1) and chfn(8):
+
+CVE-2022-0563
+
+  The readline library uses INPUTRC= environment variable to get a path
+  to the library config file. When the library cannot parse the
+  specified file, it prints an error message containing data from the
+  file.
+    
+  Unfortunately, the library does not use secure_getenv() (or a similar
+  concept), or sanitize the config file path to avoid vulnerabilities that
+  could occur if set-user-ID or set-group-ID programs.