From 2d17a4a8055f2067c85da8e3eee89cfe7183a573 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Wed, 19 Oct 2016 09:20:54 -0700
Subject: [PATCH] Add a NEWS entry for CrackLib security issues

---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 8229d5f..dde582b 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,14 @@ krb5-strength 3.1 (unreleased)
     relying on Debian's patched version.  Thanks to Bernt Jernberg for the
     report.
 
+    Apply the SuSE patch for a buffer overflow when using duplicate rules
+    to the embedded CrackLib.  No duplicating rules are used in the rule
+    set included with this package, and this package doesn't expose the
+    general API, so this was not exploitable, but best to close the latent
+    issue.  (The other recent CrackLib vulnerability, CVE-2016-6318,
+    doesn't apply since all the GECOS manipulation code was removed from
+    the embedded CrackLib in this package.)
+
 krb5-strength 3.0 (2014-03-25)
 
     The krb5-strength plugin and heimdal-strength program now support a
-- 
2.39.2