From 6f30d7003a26cfd4e5fe9357abc9877cb5f393f3 Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 13 Nov 2020 15:24:51 +0100
Subject: [PATCH] NEWS: Mention change of default for TLS certificate
 verification

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 NEWS.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index 98303432f0..e21d750f46 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -11,6 +11,17 @@ For a more fine-grained view, use the `git log`_.
 v6.10.0 (unreleased)
 ====================
 
+* **Security**
+
+  * qemu: Enable client TLS certificate validation by default for ``chardev``,
+    ``migration``, and ``backup`` servers.
+
+  The default value if qemu.conf options ``chardev_tls_x509_verify``,
+  ``migrate_tls_x509_verify``, or  ``backup_tls_x509_verify`` are not specified
+  explicitly in the config file and also the ``default_tls_x509_verify`` config
+  option is missing are now '1'. This ensures that only legitimate clients
+  access servers, which don't have any additional form of authentication.
+
 * **New features**
 
   * hyperv: implement new APIs