Add a NEWS entry for CrackLib security issues

author Russ Allbery <eagle@eyrie.org>

Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)

committer Russ Allbery <eagle@eyrie.org>

Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)
author Russ Allbery <eagle@eyrie.org>
Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)
committer Russ Allbery <eagle@eyrie.org>
Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)
diff --git a/NEWS b/NEWS

index 8229d5fb1d1843413fd2c4368aab8bd39e5f1bb1..dde582b5f56414445c5b7e521172d0c0348cce65 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,14 @@ krb5-strength 3.1 (unreleased)
      relying on Debian's patched version.  Thanks to Bernt Jernberg for the
      report.
  
+    Apply the SuSE patch for a buffer overflow when using duplicate rules
+    to the embedded CrackLib.  No duplicating rules are used in the rule
+    set included with this package, and this package doesn't expose the
+    general API, so this was not exploitable, but best to close the latent
+    issue.  (The other recent CrackLib vulnerability, CVE-2016-6318,
+    doesn't apply since all the GECOS manipulation code was removed from
+    the embedded CrackLib in this package.)
+
  krb5-strength 3.0 (2014-03-25)
  
      The krb5-strength plugin and heimdal-strength program now support a
author	Russ Allbery <eagle@eyrie.org>
	Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)
committer	Russ Allbery <eagle@eyrie.org>
	Wed, 19 Oct 2016 16:20:54 +0000 (09:20 -0700)