doc: release: 2.4: Add notes and security info about UpdateHub

Add release and security notes related to UpdateHub.

Signed-off-by: Gerson Fernando Budke <[email protected]>

Author: nandojve

doc/releases/release-notes-2.4.rst

@@ -30,6 +30,7 @@ Security Vulnerability Related
 
 The following CVEs are addressed by this release:
 
+* CVE-2020-10060: UpdateHub Might Dereference An Uninitialized Pointer
 * CVE-2020-10064: Improper Input Frame Validation in ieee802154 Processing
 * CVE-2020-10066: Incorrect Error Handling in Bluetooth HCI core
 * CVE-2020-10072: all threads can access all socket file descriptors
@@ -671,6 +672,8 @@ Libraries / Subsystems
 
   * updatehub:
 
+    * Added download block check.
+    * Added support to flash integrity check using SHA-256 algorithm.
     * Moved updatehub from lib to subsys/mgmt directory.
     * Fixed out-of-bounds access and add flash_img_init return value check.
     * Fixed getaddrinfo resource leak.

doc/security/vulnerabilities.rst

@@ -353,13 +353,25 @@ available.
 
 See NCC-ZEP-030
 
-This issue has not been fixed.
+This has been fixed in a PR against Zephyr master.
 
 - `CVE-2020-10060 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10060>`_
 
 - `Zephyr project bug tracker ZEPSEC-37
   <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
 
+- `PR27865 fix on master (to be fixed in v2.4.0)
+  <https://github.com/zephyrproject-rtos/zephyr/pull/27865>`_
+
+- `PR27865 fix for v2.3.0
+  <https://github.com/zephyrproject-rtos/zephyr/pull/27889>`_
+
+- `PR27865 fix for v2.2.0
+  <https://github.com/zephyrproject-rtos/zephyr/pull/27891>`_
+
+- `PR27865 fix for v2.1.0
+  <https://github.com/zephyrproject-rtos/zephyr/pull/27893>`_
+
 CVE-2020-10061
 --------------