Add security related NEWS entries [ci skip]

diff --git a/NEWS b/NEWS
index 76ea3d16bf8ca4a38cb5962ea52b932cad68edfa..6e6407aed64fa004362d151316dad297943d4e61 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -37,6 +37,12 @@ PHP                                                                        NEWS
   . Fixed bug #69044 (discrepency between time and microtime). (krakjoe)
   . Updated timelib to 2018.02. (Derick)
 
+- EXIF:
+  . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
+    (CVE-2019-11042) (Stas)
+  . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
+    (CVE-2019-11041) (Stas)
+
 - FTP:
   . Fixed bug #78039 (FTP with SSL memory leak). (Nikita)
 
@@ -67,11 +73,15 @@ PHP                                                                        NEWS
 - PCRE:
   . Fixed bug #78197 (PCRE2 version check in configure fails for "##.##-xxx"
     version strings). (pgnet, Peter Kokot)
+  . Fixed bug #78338 (Array cross-border reading in PCRE). (cmb)
 
 - PDO_Sqlite:
   . Fixed bug #78192 (SegFault when reuse statement after schema has changed).
     (Vincent Quatrevieux)
 
+- Phar:
+  . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
+
 - Phpdbg:
   . Fixed bug #78297 (Include unexistent file memory leak). (Nikita)