Reword NEWS for the bugfix/security release.

(mentions the assigned CVE number)

Misc/NEWS.d/next/Library/2023-12-01-21-05-46.gh-issue-112334.DmNXKh.rst

@@ -1,11 +1,10 @@
 Fixed a performance regression in 3.12's :mod:`subprocess` on Linux where it
-would no longer use the fast-path ``vfork()`` system call when it could have
-due to a logic bug, instead falling back to the safe but slower ``fork()``.
+would no longer use the fast-path ``vfork()`` system call when it should have
+due to a logic bug, instead always falling back to the safe but slower ``fork()``.
 
-Also fixed a second 3.12.0 potential security bug.  If a value of
-``extra_groups=[]`` was passed to :mod:`subprocess.Popen` or related APIs,
-the underlying ``setgroups(0, NULL)`` system call to clear the groups list
-would not be made in the child process prior to ``exec()``.
+Also fixed a related 3.12 security regression: If a value of ``extra_groups=[]``
+was passed to :mod:`subprocess.Popen` or related APIs, the underlying
+``setgroups(0, NULL)`` system call to clear the groups list would not be made
+in the child process prior to ``exec()``.  This has been assigned CVE-2023-6507.
 
-This was identified via code inspection in the process of fixing the first
-bug.
+This was identified via code inspection in the process of fixing the first bug.