add NEWS entries for sec fix

1 files changed, 14 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 7d08958c23..150194422a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-30 May 2019, PHP 7.2.19
+?? ??? ????, PHP 7.2.19
+
+- EXIF:
+  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16).
+    (CVE-2019-11040) (Stas)
 
 - FPM:
   . Fixed bug #77934 (php-fpm kill -USR2 not working). (Jakub Zelenka)
@@ -8,6 +12,12 @@ PHP                                                                        NEWS
 
 - GD:
   . Fixed bug #77943 (imageantialias($image, false); does not work). (cmb)
+  . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
+    (CVE-2019-11038) (cmb)
+
+- Iconv:
+  . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
+    due to integer overflow). (CVE-2019-11039). (maris dot adam)
 
 - JSON:
   . Fixed bug #77843 (Use after free with json serializer). (Nikita)
@@ -29,6 +39,9 @@ PHP                                                                        NEWS
   . Fixed bug #77024 (SplFileObject::__toString() may return array). (Craig
     Duncan)
 
+- SQLite:
+  . Fixed bug #77967 (Bypassing open_basedir restrictions via file uris). (Stas)
+
 02 May 2019, PHP 7.2.18
 
 - CLI: