doc: release notes: Update security notes for 2.3

Add information about security issues addressed in the v2.3.0 release. Signed-off-by: David Brown <david.brown@linaro.org>
zephyrproject-rtos · May 11, 2020 · ed2d263 · ed2d263
1 parent 1108611
commit ed2d263
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/doc/releases/release-notes-2.3.rst b/doc/releases/release-notes-2.3.rst
@@ -16,7 +16,17 @@ The following sections provide detailed lists of changes by component.
 Security Vulnerability Related
 ******************************
 
-No security vulnerabilities received.
+The following CVEs are addressed by this release:
+
+* CVE-2020-10022: UpdateHub Module Copies a Variable-Sized Hash String
+  into a fixed-size array.
+* CVE-2020-10059: UpdateHub Module Explicitly Disables TLS
+  Verification
+* CVE-2020-10062: Under embargo until 2020/05/25
+* CVE-2020-10063: Under embargo until 2020/05/25
+
+More detailed information can be found in:
+https://docs.zephyrproject.org/latest/security/vulnerabilities.html
 
 API Changes
 ***********

diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst
@@ -360,6 +360,16 @@ This issue has not been fixed.
 - `Zephyr project bug tracker ZEPSEC-37
   <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
 
+CVE-2020-10062
+--------------
+
+Under embargo until 2020/05/25
+
+CVE-2020-10063
+--------------
+
+Under embargo until 2020/05/25
+
 CVE-2020-10067
 --------------