From 41639cdb1d280d3ba759200ef3363d828eb21f94 Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Thu, 14 Aug 2025 07:47:04 +0200
Subject: [PATCH] Add reference to CVE-2025-8836, CVE-2025-8837 in NEWS
 document

---
 NEWS.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NEWS.txt b/NEWS.txt
index 29853d6f..a7b09817 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -2,13 +2,13 @@
 ==================
 
 * Fixed a bug in the JPC decoder that could cause bad memory accesses
-  if the debug level is set sufficiently high (#402, #403).
+  if the debug level is set sufficiently high (#402, #403) (CVE-2025-8837).
 
 4.2.7 (2025-08-02)
 ==================
 
 * Added some missing range checking on several coding parameters in the
-  JPC encoder (#401).
+  JPC encoder (#401) (CVE-2025-8836).
 
 4.2.6 (2025-08-02)
 ==================