From b0cc5ed91fc257cd181d8ec322bd972a94a63e10 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Fri, 30 Sep 2022 09:18:03 +0200
Subject: [PATCH] add missing CVEs

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index 44c45bb5f5a..c145a398f9e 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,8 @@ PHP                                                                        NEWS
     Christian Schneider)
   . Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static
     type). (ilutov)
+  . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
+    that have a specific semantic meaning. (CVE-2022-31629). (Derick)
 
 - DOM:
   . Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
@@ -38,6 +40,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
     (Yurunsoft)
 
+- Phar:
+  . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
+    (CVE-2022-31628). (cmb)
+
 - Reflection:
   . Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
     class of a Closure). (cmb, Nicolas Grekas)