From 27f345b878b8a9c84a987f7c7059996f41d7fd96 Mon Sep 17 00:00:00 2001
From: Micah Snyder <micasnyd@cisco.com>
Date: Sun, 1 Sep 2024 15:00:49 -0400
Subject: [PATCH] News: updates prior to 1.3.2

---
 NEWS.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/NEWS.md b/NEWS.md
index 86e9b1cc0d..5dbd9dc4fe 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -7,6 +7,34 @@ differ slightly from third-party binary packages.
 
 ClamAV 1.3.2 is a patch release with the following fixes:
 
+- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
+  Changed the logging module to disable following symlinks on Linux and Unix
+  systems so as to prevent an attacker with existing access to the 'clamd' or
+  'freshclam' services from using a symlink to corrupt system files.
+
+  This issue affects all currently supported versions. It will be fixed in:
+  - 1.4.1
+  - 1.3.2
+  - 1.0.7
+  - 0.103.12
+
+  Thank you to Detlef for identifying this issue.
+
+- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
+  Fixed a possible out-of-bounds read bug in the PDF file parser that could
+  cause a denial-of-service (DoS) condition.
+
+  This issue affects all currently supported versions. It will be fixed in:
+  - 1.4.1
+  - 1.3.2
+  - 1.0.7
+  - 0.103.12
+
+  Thank you to OSS-Fuzz for identifying this issue.
+
+- Removed unused Python modules from freshclam tests including deprecated
+  'cgi' module that is expected to cause test failures in Python 3.13.
+
 - Fix unit test caused by expiring signing certificate.
   - Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)