Add security backports in the changelog

byroot · byroot · commit c86a66178154 · 2026-03-18T18:51:18.000+01:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -2,9 +2,9 @@
 
 ### Unreleased
 
-### 2026-03-08 (2.19.2)
+### 2026-03-18 (2.19.2)
 
-* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
 
 ### 2026-03-08 (2.19.1)
 
@@ -24,6 +24,10 @@
 
 * Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
 
+### 2026-03-18 (2.17.1.2) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-12-04 (2.17.1)
 
 * Fix a regression in parsing of unicode surogate pairs (`\uXX\uXX`) that could cause an invalid string to be returned.
@@ -50,6 +54,10 @@
 * Optimized numbers parsing using SWAR (thanks to Scott Myron).
 * Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).
 
+### 2026-03-18 (2.15.2.1) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-10-25 (2.15.2)
 
 * Fix `JSON::Coder` to have one dedicated depth counter per invocation.
