From 57293ffc9693531c1bc3543f5e9ed8a325fbfa71 Mon Sep 17 00:00:00 2001
From: Sebastien Helleu <flashcode@flashtux.org>
Date: Sun, 18 Nov 2012 12:04:33 +0100
Subject: [PATCH] core: add version 0.3.9.2 in ChangeLog and NEWS

---
 ChangeLog | 6 ++++++
 NEWS      | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2be112f93..3807ddc2f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -52,6 +52,12 @@ Version 0.4.0 (under dev!)
 * relay: add missing "ssl." in output of /relay listrelay
 * script: fix compilation on OS X
 
+Version 0.3.9.2 (2012-11-18)
+----------------------------
+
+* core: do not call shell to execute command in hook_process (fix security
+  problem when a plugin/script gives untrusted command) (bug #37764)
+
 Version 0.3.9.1 (2012-11-09)
 ----------------------------
 
diff --git a/NEWS b/NEWS
index 716e5cfa4..65b8a2c95 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
 WeeChat Release Notes
 =====================
 Sébastien Helleu <flashcode@flashtux.org>
-v0.4.0-dev, 2012-11-09
+v0.4.0-dev, 2012-11-18
 
 
 Version 0.4.0 (under dev!)
@@ -24,6 +24,12 @@ Important release notes:
   or disable IPv6 in relay if you don't plan to use it at all:
 ** `/set relay.network.ipv6 off`
 
+Version 0.3.9.2 (2012-11-18)
+----------------------------
+
+This version fixes a security vulnerability when a plugin/script gives untrusted
+command to API function "hook_process".
+
 Version 0.3.9.1 (2012-11-09)
 ----------------------------