CVE-2020-28014, CVE-2021-27216: PID file handling

[exim.git] / doc / doc-txt / ChangeLog

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 87f1952f5b56ef272be56b77f2fb21fbe4588fdb..e2843e3b669e59617f9853f8c44c011d2a665734 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -205,6 +205,14 @@ PP/11 Fix security issue in BDAT state confusion.
       mode until after various protocol state checks.
       Fixes CVE-2020-BDATA reported by Qualys.
 
+HS/03 Die on "/../" in msglog file names
+
+QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
+      the Exim runtime user are allowed to create files.
+
+QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
+      runtime user.
+
 
 Exim version 4.94
 -----------------