From d7f4f3f5fb1275f0b3d9f4e1b3d9d7b75a5a9e26 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 29 Jan 2021 17:29:57 +0100
Subject: NEWS: Mention CVE-2021-3326 (iconv assertion with ISO-20220-JP-3)

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index 920fc779d0..013f8ce9b1 100644
--- a/NEWS
+++ b/NEWS
@@ -102,6 +102,12 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
+  CVE-2021-3326: An assertion failure during conversion from the
+  qISO-20220-JP-3 character set using the iconv function has been fixed.
+  This assertion was triggered by certain valid inputs in which the
+  converted output contains a combined sequence of two wide characters
+  crossing a buffer boundary.  Reported by Tavis Ormandy.
+
   CVE-2020-27618: An infinite loop has been fixed in the iconv program when
   invoked with input containing redundant shift sequences in the IBM1364,
   IBM1371, IBM1388, IBM1390, or IBM1399 character sets.
-- 
cgit 1.4.1