NEWS maintenance

2 files changed, 8 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index 24207f561e..6af9da9575 100644
--- a/NEWS
+++ b/NEWS
@@ -2,10 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.4.11
 
-
-17 Sep 2020, PHP 7.4.11RC1
-
 - Core:
+  . Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
+    cookies can be sent). (CVE-2020-7070) (Stas)
   . Fixed bug #79979 (passing value to by-ref param via CUFA crashes). (cmb,
     Nikita)
   . Fixed bug #80037 (Typed property must not be accessed before initialization
@@ -29,6 +28,10 @@ PHP                                                                        NEWS
   . Fixed bug #79825 (opcache.file_cache causes SIGSEGV when custom opcode
     handlers changed). (SammyK)
 
+- OpenSSL:
+  . Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
+    bytes IV). (CVE-2020-7069) (Jakub Zelenka)
+
 - PDO:
   . Fixed bug #80027 (Terrible performance using $query->fetch on queries with
     many bind parameters (Matteo)
diff --git a/UPGRADING b/UPGRADING
index 40a768d6ba..7f4a800a7b 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -126,8 +126,8 @@ DOM:
     The new signature is also (LSP) compatible with older PHP versions.
 
 - SAPI:
-  . Starting with 7.4.12, incoming cookie names are not url-decoded. This was never 
-    required by the standard, outgoing cookie names aren't encoded and this leads 
+  . Starting with 7.4.11, incoming cookie names are not url-decoded. This was never
+    required by the standard, outgoing cookie names aren't encoded and this leads
     to security issues (CVE-2020-7070).
 
 - SPL: