Update NEWS wrt. sec fixes

diff --git a/NEWS b/NEWS
index f506b78b4eea0a7ac80063990bbcbe61f242b365..e670c3f999f123da66e504aa0434e5366c58f32d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,10 @@ PHP                                                                        NEWS
 - Libxml:
   . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence)
 
+- Mbstring:
+  . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). 
+    (CVE-2020-7060) (Nikita)
+
 - OPcache:
   . Fixed bug #79040 (Warning Opcode handlers are unusable due to ASLR). (cmb)
 
@@ -63,10 +67,14 @@ PHP                                                                        NEWS
   . Fixed bug #78982 (pdo_pgsql returns dead persistent connection). (SATŌ
     Kentarō)
 
+- Session:
+  . Fixed bug #79091 (heap use-after-free in session_create_id()). (cmb, Nikita)
+
 - Shmop:
   . Fixed bug #78538 (shmop memory leak). (cmb)
 
 - Standard:
+  . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
   . Fixed bug #54298 (Using empty additional_headers adding extraneous CRLF).
     (cmb)