From 5470ff699fbf1394cc165c984511d618ea5d7fd1 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Tue, 02 Apr 2019 12:59:51 -0400
Subject: NEWS: Note security (non-)implications of substvars bug

---
(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 276cce0..d438541 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,11 @@ Bug fixes and minor changes:
   * configure no longer checks for make.  This was needed for mksysconf,
     which was removed in version 4.0.0.
   * Substitution variables are now correctly set for binary packages
-    with non-alphanumeric characters in their names.
+    with non-alphanumeric characters in their names.  Unsanitized data
+    was passed to eval, however it was first validated to not contain
+    characters such as whitespace and it was interpolated into a string
+    that couldn't yield a command name that would normally exist on any
+    system.
 
 opkbuild version 4.0.0
 ----------------------
--
cgit v0.9.1