1 files changed, 8 insertions, 2 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index f482e29cd..c4b2dd8e0 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -22,10 +22,12 @@ This release includes the following changes:
  o url: Added smtp and pop3 hostnames to the protocol detection list
  o imap/pop3/smtp: Added support for enabling the SASL initial response [8]
  o curl -E: allow to use ':' in certificate nicknames [10]
- o 
 
 This release includes the following bugfixes:
 
+ o SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end
+   of the input buffer [26]
+
  o FTP: access files in root dir correctly [1]
  o configure: try pthread_create without -lpthread [2]
  o FTP: handle a 230 welcome response [3]
@@ -63,6 +65,7 @@ This release includes the following bugfixes:
  o lib1900: use tutil_tvnow instead of gettimeofday
  o curl_easy_perform: avoid busy-looping [23]
  o CURLOPT_COOKIELIST: take cookie share lock [24]
+ o multi_socket: react on socket close immediately [25]
 
 This release includes the following known bugs:
 
@@ -78,7 +81,8 @@ advice from friends like these:
  Renaud Guillard, John Gardiner Myers, Jared Jennings, Eric Hu,
  Yamada Yasuharu, Stefan Neis, Mike Giancola, Eric S. Raymond, Andrii Moiseiev,
  Christian Weisgerber, Peter Gal, Aleksey Tulinov, Hang Su, Sergei Nikulov,
- Miguel Angel, Nach M. S., Benjamin Gilbert
+ Miguel Angel, Nach M. S., Benjamin Gilbert, Erik Johansson, Timo Sirainen,
+ Guenter Knauf
 
         Thanks! (and sorry if I forgot to mention someone)
 
@@ -108,3 +112,5 @@ References to bug reports and discussions on issues:
  [22] = http://curl.haxx.se/bug/view.cgi?id=1235
  [23] = http://curl.haxx.se/bug/view.cgi?id=1238
  [24] = http://curl.haxx.se/bug/view.cgi?id=1215
+ [25] = http://curl.haxx.se/bug/view.cgi?id=1248
+ [26] = http://curl.haxx.se/docs/adv_20130622.html