From b29ecec4efdf9d53c05a66223062971caf1594e9 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 30 Jul 2019 09:26:50 +0200
Subject: add security NEW entries + reorder [ci skip]

---
 NEWS | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/NEWS b/NEWS
index d8181a7028..4103d76188 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,15 @@ PHP                                                                        NEWS
 
 01 Aug 2019, PHP 7.2.21
 
+- Date:
+  . Fixed bug #69044 (discrepency between time and microtime). (krakjoe)
+
+- EXIF:
+  . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
+    (CVE-2019-11042) (Stas)
+  . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
+    (CVE-2019-11041) (Stas)
+
 - Fileinfo:
   . Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).
     (Joshua Westerheide)
@@ -32,20 +41,6 @@ PHP                                                                        NEWS
 - FTP:
   . Fixed bug #77124 (FTP with SSL memory leak). (Nikita)
 
-- PDO_Sqlite:
-  . Fixed bug #78192 (SegFault when reuse statement after schema has changed).
-    (Vincent Quatrevieux)
-
-- SQLite:
-  . Upgraded to SQLite 3.28.0. (cmb)
-
-- XMLRPC:
-  . Fixed bug #78173 (XML-RPC mutates immutable objects during encoding).
-    (Asher Baker)
-
-- Date:
-  . Fixed bug #69044 (discrepency between time and microtime). (krakjoe)
-
 - Libxml:
   . Fixed bug #78279 (libxml_disable_entity_loader settings is shared between
     requests (cgi-fcgi)). (Nikita)
@@ -68,14 +63,28 @@ PHP                                                                        NEWS
   . Fixed bug #78291 (opcache_get_configuration doesn't list all directives).
     (Andrew Collington)
 
+- Phar:
+  . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
+
 - Phpdbg:
   . Fixed bug #78297 (Include unexistent file memory leak). (Nikita)
 
+- PDO_Sqlite:
+  . Fixed bug #78192 (SegFault when reuse statement after schema has changed).
+    (Vincent Quatrevieux)
+
+- SQLite:
+  . Upgraded to SQLite 3.28.0. (cmb)
+
 - Standard:
   . Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit).
     (cmb)
   . Fixed bug #78269 (password_hash uses weak options for argon2). (Remi)
 
+- XMLRPC:
+  . Fixed bug #78173 (XML-RPC mutates immutable objects during encoding).
+    (Asher Baker)
+
 04 Jul 2019, PHP 7.2.20
 
 - Core:
-- 
cgit v1.2.1