Release v1.11.2 (unlikely issue, but a release never hurts)1.11.2

author: Daniel Friesel <derf@finalrewind.org> 2011-02-09 20:14:54 +0100
committer: Daniel Friesel <derf@finalrewind.org> 2011-02-09 20:14:54 +0100
commit: 29ab0855f044ef2fe9c295b72abefcb37f0861a5 (patch)
tree: 9c0193cfba2df38f8fd452766e4da880bdb8bda5
parent: a16225248e8feca0020113c4e93a30600a35b8f0 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 98cee36..6359db8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Wed, 09 Feb 2011 20:11:26 +0100  Daniel Friesel <derf@finalrewind.org>
+
+* Release v1.11.2
+    * Use wget --no-clobber to prevent TOCTTOU-based hole allowing a
+      well-informed attacker to rewrite arbitrary user files with images.
+      The attacker needs to know feh's PID and the URL the user gave it.
+      It is still possible for an attacker to _create_ arbitrary files via the
+      same hole.
+
 Wed, 26 Jan 2011 21:07:19 +0100
 
 * Release v1.11.1
author	Daniel Friesel <derf@finalrewind.org>	2011-02-09 20:14:54 +0100
committer	Daniel Friesel <derf@finalrewind.org>	2011-02-09 20:14:54 +0100
commit	29ab0855f044ef2fe9c295b72abefcb37f0861a5 (patch)
tree	9c0193cfba2df38f8fd452766e4da880bdb8bda5
parent	a16225248e8feca0020113c4e93a30600a35b8f0 (diff)