From 15dc23b1be7d4c9964310072e2cad271168bbc2f Mon Sep 17 00:00:00 2001
From: Sebastian Wick <sebastian.wick@redhat.com>
Date: Tue, 7 Apr 2026 22:43:12 +0200
Subject: [PATCH] Update NEWS for 1.16.4

---
 NEWS | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 6325e536..77f4a05d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,8 +1,18 @@
  Changes in 1.16.4
  ~~~~~~~~~~~~~~~~~~
-Released: not yet
+Released: 2026-04-07
 
-...
+Security fixes:
+
+* Fix a complete sandbox escape which leads to host file access and code
+  execution in the host context (CVE-2026-34078)
+
+* Prevent arbitrary file deletion on the host filesystem (CVE-2026-34079)
+
+* Prevent arbitrary read-access to files in the system-helper context
+  (GHSA-2fxp-43j9-pwvc)
+
+* Prevent orphaning cross-user pull operations (GHSA-89xm-3m96-w3jg)
 
 Changes in 1.16.3
 ~~~~~~~~~~~~~~~~~~