From 4d1291eaaabc6ff440fa1e76e0c9160fd8a3c21a Mon Sep 17 00:00:00 2001
From: John Kehayias <john@guixotic.coop>
Date: Fri, 20 Feb 2026 01:16:13 -0500
Subject: [PATCH] news: Announce potential security issue in glibc package.

* etc/news.scm: Add entry.

Change-Id: Iea4883d83cae7dee937d46d534cfa8dad17b1028
---
 etc/news.scm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/etc/news.scm b/etc/news.scm
index b7f9c059cd..008751d296 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -42,6 +42,16 @@
 (channel-news
  (version 0)
 
+ (entry (commit "d659fe8666c4bc38fcbdbe7b7a35101f2d7cc41b")
+        (title
+         (en "Potential security vulnerability in glibc"))
+        (body
+         (en "Guix adds the environment variable @code{GUIX_LOCPATH} to glibc,
+however it was not added to potentially unsafe variables to be unset in
+privileged environments.  A CVE number is pending for this issue.  This has
+been fixed with a graft to glibc and users should update all profiles,
+reconfigure their system, and reboot.")))
+
  (entry (commit "6d4cb99a15da7f4fd55f956c55f4f4aacfcc7742")
         (title
          (en "@code{%desktop-services} now includes GDM on AArch64")