Merge pull request #35715 from jhawthorn/changelog_for_cves_6_0

Update CHANGELOGs for 6.0.0.beta3 release

2 files changed, 21 insertions, 2 deletions

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index d07794ddf3..6717004ceb 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,6 +1,15 @@
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-*   No changes.
+*   Only accept formats from registered mime types
+
+    A lack of filtering on mime types could allow an a attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
+
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
+
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
 
 ## Rails 6.0.0.beta2 (February 25, 2019) ##
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 226b949b34..754f11212c 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -4,7 +4,17 @@
 
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-*   No changes.
+*   Generate random development secrets
+
+    A random development secret is now generated to tmp/development_secret.txt
+
+    This avoids an issue where development mode servers were vulnerable to
+    remote code execution.
+
+    Fixes CVE-2019-5420
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn*
+
 
 
 ## Rails 6.0.0.beta2 (February 25, 2019) ##