chore(release notes): add two more CVEs which are fixed in 1.3.1 but which we forgot to uncomment

Signed-off-by: Nick Boldt <[email protected]>

Author: nickboldt

modules/release-notes/list-fixed-security-issues-in-product-1.3.1.txt

@@ -1,6 +1,4 @@
 # CVE number, affected package, fixed in version(s), JIRA
+CVE-2024-21536,http-proxy-middleware,2.0.7||3.0.3,RHIDP-4612
+CVE-2024-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733
 CVE-2024-45590,body-parser,1.20.3,RHIDP-3917,mostly fixed but missed immobiliarelabs-backstage-plugin-gitlab-backend-dynamic
-
-# not yet fixed, built, or ready for release
-# CVE-2024-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733
-# CVE-2024-21536,http-proxy-middleware,2.0.7||3.0.3,RHIDP-4612

modules/release-notes/snip-fixed-security-issues-in-product-1.3.1.adoc

@@ -1,4 +1,10 @@
 = {product} dependency updates
 
+link:https://access.redhat.com/security/cve/CVE-2024-21536[CVE-2024-21536]::
+A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37890[CVE-2024-37890]::
+A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
+
 link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]::
 A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.