doc: release notes: Update security notes for 2.3

Add information about security issues addressed in the v2.3.0 release. Signed-off-by: David Brown <david.brown@linaro.org>
2020-05-11 11:50:32 -06:00 · 2020-05-11 11:50:32 -06:00 · ed2d263e0c
commit ed2d263e0c
parent 1108611a3e
2 changed files with 21 additions and 1 deletions
--- a/doc/releases/release-notes-2.3.rst
+++ b/doc/releases/release-notes-2.3.rst
@ -16,7 +16,17 @@ The following sections provide detailed lists of changes by component.
 Security Vulnerability Related
 ******************************

-No security vulnerabilities received.
+The following CVEs are addressed by this release:
+
+* CVE-2020-10022: UpdateHub Module Copies a Variable-Sized Hash String
+  into a fixed-size array.
+* CVE-2020-10059: UpdateHub Module Explicitly Disables TLS
+  Verification
+* CVE-2020-10062: Under embargo until 2020/05/25
+* CVE-2020-10063: Under embargo until 2020/05/25
+
+More detailed information can be found in:
+https://docs.zephyrproject.org/latest/security/vulnerabilities.html

 API Changes
 ***********
--- a/doc/security/vulnerabilities.rst
+++ b/doc/security/vulnerabilities.rst
@ -360,6 +360,16 @@ This issue has not been fixed.
 - `Zephyr project bug tracker ZEPSEC-37
  <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_

+CVE-2020-10062
+--------------
+
+Under embargo until 2020/05/25
+
+CVE-2020-10063
+--------------
+
+Under embargo until 2020/05/25
+
 CVE-2020-10067
 --------------