From 76eb7d35ab39c75b565791f98505c7ea721f2593 Mon Sep 17 00:00:00 2001
From: Frederick Price <rprice@pricemail.ca>
Date: Fri, 24 Feb 2023 08:53:19 -0500
Subject: [PATCH] Update docs

---
 CHANGES.rst                   | 15 +++++++++++++++
 docs/releasenotes/6.2.2.4.rst | 11 +++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 docs/releasenotes/6.2.2.4.rst

diff --git a/CHANGES.rst b/CHANGES.rst
index 3edeee836..59951a20e 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -2,6 +2,21 @@
 Changelog (Pillow)
 ==================
 
+6.2.2.4 (date TBD)
+------------------
+
+- Use more specific regex chars to prevent ReDoS. CVE-2021-25292
+  [rickprice,hugovk]
+
+6.2.2.3 (2023-02-23)
+------------------
+
+- CVE-2022-22817 Restrict builtins for ImageMath.eval()
+  [rickprice]
+
+- CVE-2022-24303 Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
+  [rickprice]
+
 6.2.2.2 (date TBD)
 ------------------
 
diff --git a/docs/releasenotes/6.2.2.4.rst b/docs/releasenotes/6.2.2.4.rst
new file mode 100644
index 000000000..25e3fda6d
--- /dev/null
+++ b/docs/releasenotes/6.2.2.4.rst
@@ -0,0 +1,11 @@
+6.2.2.4
+-------
+
+Security
+========
+
+This release addresses several critical CVEs.
+
+:cve:`CVE-2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
+since Pillow 4.3.0.
+