1 files changed, 17 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 78b20ab9b5..212f728213 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-05 Mar 2015, PHP 5.6.7RC1
+19 Mar 2015, PHP 5.6.7
 
 - Core:
   . Fixed bug #69174 (leaks when unused inner class use traits precedence).
@@ -16,6 +16,10 @@
   . Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus)
   . Fixed bug #69141 (Missing arguments in reflection info for some builtin
     functions). (kostyantyn dot lysyy at oracle dot com)
+  . Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas)
+  . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM
+    configuration options). (Anatol Belski)
+  . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)
 
 - CGI:
   . Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence)
@@ -29,6 +33,10 @@
   . Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported
     by libcurl. (Linus Unneback)
 
+- Ereg:
+  . Fixed bug #69248 (heap overflow vulnerability in regcomp.c) (CVE-2015-2305).
+    (Stas)
+
 - FPM:
   . Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com)
 
@@ -72,6 +80,10 @@
   . Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after 
     calling getChildren()). (Julien)
 
+- ZIP:
+  . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
+    boundary) (CVE-2015-2331). (Stas)
+
 19 Feb 2015, PHP 5.6.6
 
 - Core:
@@ -91,8 +103,8 @@
   . Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
 
 - Enchant:
-  . Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()).
-    (Antony)
+  . Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict())
+    (CVE-2014-9705). (Antony)
 
 - Fileinfo:
   . Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers)
@@ -129,7 +141,8 @@
     named pipes). (steffenb198 at aol dot com)
 
 - Phar:
-  . Fixed bug #68901 (use after free). (bugreports at internot dot info)
+  . Fixed bug #68901 (use after free) (CVE-2015-2301).
+    (bugreports at internot dot info)
 
 - Pgsql:
   . Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo)