Update NEWS with security fixes info

bukka · bukka · commit c4d7f1b43d6c · 2024-09-23T12:09:34.000+01:00
diff --git a/NEWS b/NEWS
@@ -1,6 +1,13 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? ????, PHP 8.2.24
+26 Sep 2024, PHP 8.2.24
+
+- CGI:
+  . Fixed bug GHSA-p99j-rfp4-xqvq (Bypass of CVE-2024-4577, Parameter Injection
+    Vulnerability). (CVE-2024-8926) (nielsdos)
+  . Fixed bug GHSA-94p6-54jq-9mwp (cgi.force_redirect configuration is
+    byppassible due to the environment variable collision). (CVE-2024-8927)
+    (nielsdos)
 
 - Core:
   . Fixed bug GH-15408 (MSan false-positve on zend_max_execution_timer).
@@ -26,6 +33,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15752 (Incorrect error message for finfo_file
     with an empty filename argument). (DanielEScherzer)
 
+- FPM:
+  . Fixed bug GHSA-865w-9rf3-2wh5 (Logs from childrens may be altered).
+    (CVE-2024-9026) (Jakub Zelenka)
+
 - MySQLnd:
   . Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
     Kamil Tekiela)
@@ -36,6 +47,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15658 (Segmentation fault in Zend/zend_vm_execute.h).
     (nielsdos)
 
+- SAPI:
+  . Fixed bug GHSA-9pqp-7h25-4f32 (Erroneous parsing of multipart form data).
+    (CVE-2024-8925) (Arnaud)
+
 - SOAP:
   . Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP
     headers in array form). (nielsdos)
