From 54883434b92aed5259e8babf9e71aa2bbeb494cc Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 26 Nov 2017 19:48:39 +0100
Subject: [PATCH] update CHANGES (1.1-maint) for 1.1.3 release

---
 docs/changes.rst | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/changes.rst b/docs/changes.rst
index e80a968bb..2a2cc1a40 100644
--- a/docs/changes.rst
+++ b/docs/changes.rst
@@ -131,8 +131,8 @@ The best check that everything is ok is to run a dry-run extraction::
 Changelog
 =========
 
-Version 1.1.3 (not released yet)
---------------------------------
+Version 1.1.3 (2017-11-27)
+--------------------------
 
 Compatibility notes:
 
@@ -153,7 +153,11 @@ Compatibility notes:
 
 Fixes:
 
-- XXX SECFIX XXX
+- Security Fix for CVE-2017-15914: Incorrect implementation of access controls
+  allows remote users to override repository restrictions in Borg servers.
+  A user able to access a remote Borg SSH server is able to circumvent access
+  controls post-authentication.
+  Affected releases: 1.1.0, 1.1.1, 1.1.2. Releases 1.0.x are NOT affected.
 - crc32: deal with unaligned buffer, add tests - this broke borg on older ARM
   CPUs that can not deal with unaligned 32bit memory accesses and raise a bus
   error in such cases. the fix might also improve performance on some CPUs as