NEWS: Mention security bug in storage pool object lookup (CVE-2021-3667)

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>

diff --git a/NEWS.rst b/NEWS.rst
index 37f3c48d88a28ef3cafceef1eecf415e534e0841..d791b34efbeb7aa274d79b208a29bad489626711 100644 (file)
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -11,6 +11,15 @@ For a more fine-grained view, use the `git log`_.
 v7.6.0 (unreleased)
 ===================
 
+* **Security**
+
+  * storage: Unlock pool objects on ACL check failures in ``storagePoolLookupByTargetPath`` (CVE-2021-3667)
+
+    A logic bug in ``storagePoolLookupByTargetPath`` where the storage pool
+    object was left locked after a failure of the ACL check could potentially
+    deprive legitimate users access to a storage pool object by users who don't
+    have access.
+
 * **New features**
 
   * qemu: Incremental backup support via ``virDomainBackupBegin``