CVE-2020-28008: Assorted attacks in Exim's spool directory

[exim.git] / doc / doc-txt / ChangeLog

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 87f1952f5b56ef272be56b77f2fb21fbe4588fdb..636fdf71e058ba74fa1bf5eff7892f2343b6ea84 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -205,6 +205,11 @@ PP/11 Fix security issue in BDAT state confusion.
       mode until after various protocol state checks.
       Fixes CVE-2020-BDATA reported by Qualys.
 
+HS/03 Die on "/../" in msglog file names
+
+QS/01 Creation of (database) files in $spool_dir: only uid=0 or the euid of
+      the Exim runtime user are allowed to create files.
+
 
 Exim version 4.94
 -----------------