# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1330004736 -28800
# Node ID d354464b2aa6f6ba0bf44d43bcae5aa798435393
# Parent  c015af8a71cf2aae40a5ae2ef3105341670128f2
- Improve CHANGES description

diff -r c015af8a71cf -r d354464b2aa6 CHANGES
--- a/CHANGES	Wed Feb 22 22:12:15 2012 +0800
+++ b/CHANGES	Thu Feb 23 21:45:36 2012 +0800
@@ -1,14 +1,16 @@
 2012.55 - Wednesday 22 February 2012
 
-- Security: Fix use-after-free bug that could be triggered when multiple command sessions were
-  made when a command="" authorized_keys restriction was in effect. Possible arbitrary
-  code execution to an authenticated user, and probable bypass of the command="" restriction.
-  CVE-2012-0920. Thanks to Danny Fullerton of Mantor Organization for reporting the bug
+- Security: Fix use-after-free bug that could be triggered if command="..."
+  authorized_keys restrictions are used.  Could allow arbitrary code execution
+  or bypass of the command="..." restriction to an authenticated user.
+  This bug affects releases 0.52 onwards. Ref CVE-2012-0920.
+  Thanks to Danny Fullerton of Mantor Organization for reporting
+  the bug.
 
 - Compile fix, only apply IPV6 socket options if they are available in headers
   Thanks to Gustavo Zacarias for the patch
 
-- Clear key memory on exit
+- Overwrite session key memory on exit
 
 - Fix minor memory leak in unusual PAM authentication configurations.
   Thanks to Stathis Voukelatos