Update NEWS for 1.8.x

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

1 files changed, 26 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 802f4e53..3dd602af 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,29 @@
+D-Bus 1.8.24 (UNRELEASED)
+==
+
+The fixes in this release are arguably security fixes, but if they
+affect you, please take this opportunity to rethink how you are
+configuring dbus.
+
+Fixes:
+
+• Prevent symlink attacks in the nonce-tcp transport on Unix that could
+  allow an attacker to overwrite a file named "nonce", in a directory
+  that the user running dbus-daemon can write, with a random value
+  known only to the user running dbus-daemon. This is unlikely to be
+  exploitable in practice, particularly since the nonce-tcp transport
+  is really only useful on Windows.
+
+  On Unix systems we strongly recommend using only the unix: and systemd:
+  transports, together with EXTERNAL authentication. These are the only
+  transports and authentication mechanisms enabled by default.
+
+  (fd.o #99828, Simon McVittie)
+
+• Avoid symlink attacks in the "embedded tests", which are not enabled
+  by default and should never be enabled in production builds of dbus.
+  (fd.o #99828, Simon McVittie)
+
 D-Bus 1.8.22 (2016-10-10)
 ==