[evince] NEWS: Add CVE numbers close their release notes

[Germán Poo-Caamaño <gpoo src gnome org>]

commit db2697e9784aff489c82389829408d560fd4d396
Author: Germán Poo-Caamaño <gpoo gnome org>
Date:   Wed Aug 1 16:03:51 2018 -0400

    NEWS: Add CVE numbers close their release notes
    
    Some bug fixes did not happen to have a CVE number in the NEWS file.
    
    Added also NEWS-security.md to aggregate the security fixes in Evince
    across branches.  For example, CVE-2017-1000083 affected only until
    version 3.24, which was already branched. Therefore, it does not
    appear in the NEWS file from master. Sometimes, people want to have
    a quick look if CVE are fixed in a product. By adding this file, we
    hope we can cope with that need.
    
    Fixes #864

 NEWS             | 16 +++++++++++-----
 NEWS-security.md | 23 +++++++++++++++++++++++
 2 files changed, 34 insertions(+), 5 deletions(-)
---
diff --git a/NEWS b/NEWS
index e53ef988..31a5ca6f 100644
--- a/NEWS
+++ b/NEWS
@@ -380,11 +380,14 @@ Bug fixes:
     * Fix several memory leaks (#770070 and #770069, Eric R. Schulz)
     * Fix scaling calculation in PostScript backend (#755776, Jason
       Crain)
-    * Fix a crash when processing button events in EvView (#769700,
-      Marek Kasik)
     * Fix a crash when opening a copy of a document with annotation
       popup windows (#760299, Jose Aliste)
 
+Security Fixes:
+
+    * Fix a crash when processing button events in EvView (#769700)
+      CVE-2013-3718. (Marek Kasik)
+
 Translation updates:
 
     * David Medina (ca)
@@ -2975,11 +2978,14 @@ New Features and UI Improvements:
 Bug fixes:
 
     * Fix return value in g_return_val_if_fail() macro (Daniel Garcia)
-    * Fix several security issues in dvi backend: CVE-2010-2640,
-      CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 (José Aliste)
     * Do not use deprecated API: GdkCursor, GtkStyle, size-request
       (Carlos Garcia Campos)
 
+Security Fixes:
+
+    * Fix several security issues in dvi backend: CVE-2010-2640,
+      CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 (José Aliste)
+
 Translation updates:
 
     * Khaled Hosny (ar)
@@ -5214,7 +5220,7 @@ Bug Fixes:
 
 Security Fixes:
 
-    * Buffer overflow in PS backend. CVE-2006-5864. (Carlos Garcia Campos)
+    * Buffer overflow in PS backend (#380191). CVE-2006-5864. (Carlos Garcia Campos)
 
 Translations:
 
diff --git a/NEWS-security.md b/NEWS-security.md
new file mode 100644
index 00000000..8725cc13
--- /dev/null
+++ b/NEWS-security.md
@@ -0,0 +1,23 @@
+Security fixes
+==============
+
+* Evince 3.24.1
+
+    * Remove support for tar and tar-like commands in commics backend
+      (#784630). CVE-2017-1000083. (Bastien Nocera)
+
+* Evince 3.21.92
+
+    * Fix a crash when processing button events in EvView (#769700)
+      CVE-2013-3718. (Marek Kasik)
+
+* Evince 2.91.5
+
+    * Fix several security issues in dvi backend.
+      CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
+      (José Aliste)
+
+* Evince 0.7.0
+
+    * Buffer overflow in PS backend (#380191).
+      CVE-2006-5864. (Carlos Garcia Campos)