2 files changed, 8 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index af42147e73..50fe518b9b 100644
--- a/NEWS
+++ b/NEWS
@@ -17,7 +17,9 @@ PHP                                                                        NEWS
   . Implemented FR #38409 (parse_ini_file() looses the type of booleans). (Tjerk)
   . Fixed #67959 (Segfault when calling phpversion('spl')). (Florian)
   . Implemented the RFC `Catchable "Call to a member function bar() on a
-    non-object"` (Timm)
+    non-object"`. (Timm)
+  . Added options parameter for unserialize allowing to specify acceptable
+    classes (https://wiki.php.net/rfc/secure_unserialize). (Stas)
   . Fixed bug #68185 ("Inconsistent insteadof definition."- incorrectly triggered). (Julien)
 
 - DBA:
diff --git a/UPGRADING b/UPGRADING
index 61a512505b..fe282138d1 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -76,6 +76,11 @@ PHP X.Y UPGRADE NOTES
 - parse_ini_file():
 - parse_ini_string():
   Added scanner mode INI_SCANNER_TYPED to yield typed .ini values.
+- unserialize():
+  Added second parameter for unserialize function 
+  (RFC: https://wiki.php.net/rfc/secure_unserialize) allowing to specify
+  acceptable classes: 
+  unserialize($foo, ["allowed_classes" => ["MyClass", "MyClass2"]);
 
 
 ========================================