From ee9c5a16f8da93a3033cd2a37902011cfca9775c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 15 Mar 2023 17:35:26 +0000
Subject: [PATCH] Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 NEWS | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/NEWS b/NEWS
index 6d334708..31c9aeaa 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,20 @@ Changes in 1.10.8
 ~~~~~~~~~~~~~~~~~
 Not released yet
 
+Security fixes:
+
+ * Escape special characters when displaying permissions and metadata,
+   preventing malicious apps from manipulating the appearance of the
+   permissions list using crafted metadata (CVE-2023-28101).
+
+ * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
+   don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100).
+   Note that this is specific to virtual consoles: Flatpak is not
+   vulnerable to this if run from a graphical terminal emulator such as
+   xterm, gnome-terminal or Konsole.
+
+Other bug fixes:
+
  * If an app update is blocked by parental controls policies, clean up the
    temporary deploy directory (#5146)
  * Fix Autotools build with versions of gpgme that no longer provide
@@ -16,6 +30,7 @@ Not released yet
  * Fix a typo in an error message
  * Fix incorrect year in NEWS for 1.10.7 release
  * Translation update: pl
+ * Add test coverage for Flatpak's seccomp filters
 
 Changes in 1.10.7
 ~~~~~~~~~~~~~~~~~