Update NEWS

Author: nicolargo

NEWS.rst

@@ -28,6 +28,11 @@ Enhancements:
 * All plugins now expose min/max/mean statistics since startup #3462
 * Improved CPU plugin display on macOS (graceful handling of unavailable fields) #3464
 
+Security patches:
+
+* Unauthenticated Configuration Secrets Exposure
+* SQL Injection via Process Names in TimescaleDB Export
+
 Code quality:
 
 * JSON serializer hardened with comprehensive type normalization #3454
@@ -38,7 +43,7 @@ Code quality:
 Thanks to all the contributors for this version: @YamiYukiSenpai, @amzon-ex,
 @axodentally, @fpusan, @janusn, @kleinmatic, @lcheylus, @lubomir-moric, @mark-rahal,
 @mikemhenry, @Ambika-Patidar, @AbdelhamidKhald, @Julietmgbole,
-@sdoshi2061, @cjlindem
+@sdoshi2061, @cjlindem, @theamanrawat
 
 ===============
 Version 4.5.0.5

glances/exports/glances_timescaledb/__init__.py

@@ -180,10 +180,7 @@ def export(self, plugin, creation_list, segmented_by, values_list):
                 # Build CREATE TABLE using sql.Identifier for column names (prevents injection)
                 # Each item in creation_list is "colname TYPE [NULL|NOT NULL]"
                 fields = sql.SQL(', ').join(
-                    sql.SQL("{} {}").format(
-                        sql.Identifier(item.split(' ')[0]),
-                        sql.SQL(' '.join(item.split(' ')[1:]))
-                    )
+                    sql.SQL("{} {}").format(sql.Identifier(item.split(' ')[0]), sql.SQL(' '.join(item.split(' ')[1:])))
                     for item in creation_list
                 )
                 create_query = sql.SQL(