From 168e131b8b18fb6b23beb0409b2a65d244d99033 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 20 Nov 2019 12:47:52 +0100
Subject: [PATCH] update NEWS

---
 NEWS | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/NEWS b/NEWS
index ca6a735e26a..13969976775 100644
--- a/NEWS
+++ b/NEWS
@@ -187,6 +187,19 @@ CHANGES WITH 244 in spe:
           used by the user service manager. The default is again to use the same
           path as the system manager.
 
+        * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
+          outputting the 128bit IDs in UUID format (i.e. in the "canonical
+          representation").
+
+        * Service units gained a new sandboxing option ProtectKernelLogs= which
+          makes sure the program cannot get direct access to the kernel log
+          buffer anymore, i.e. the syslog() system call (not to be confused
+          with the API of the same name in libc, which is not affected), the
+          /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
+          inaccessible to the service. It's recommended to enable this setting
+          for all services that should not be able to read from or write to the
+          kernel log buffer, which are probably almost all.
+
 CHANGES WITH 243:
 
         * This release enables unprivileged programs (i.e. requiring neither