CHANGELOG.md: mention security vulnerabilities

Change-Id: Ibb3f43f97e649aa98e1adaa8cb20fb8d1cb213b6
Signed-off-by: Darek Stojaczyk <dariusz.stojaczyk@intel.com>
Reviewed-on: https://review.gerrithub.io/c/spdk/spdk/+/463665
Reviewed-by: Paul Luse <paul.e.luse@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>

CHANGELOG.md

@@ -247,6 +247,11 @@ and CXX to the cross compilers, then run configure as follows:
 
 ### vhost
 
+A security vulnerability has been identified and fixed in SPDK Vhost-SCSI target.
+A malicious client (e.g. a virtual machine) could send a carefully prepared,
+invalid I/O request to crash the entire SPDK process. All users of SPDK Vhost-SCSI
+target are strongly recommended to update. All SPDK versions < 19.07 are affected.
+
 By default, SPDK will now rely on upstream DPDK's rte_vhost instead of its fork
 located inside SPDK repo. The internal fork is still kept around to support older
 DPDK versions, but is considered legacy and will be eventually removed.
@@ -256,6 +261,13 @@ version is >= 19.05.
 
 spdk_vhost_init() is now asynchronous and accepts a completion callback.
 
+### iscsi target
+
+A security vulnerability has been identified and fixed in SPDK iSCSI target.
+A malicious client (e.g. an iSCSI initiator) could send a carefully prepared,
+invalid I/O request to crash the entire SPDK process. All users of SPDK iSCSI
+target are strongly recommended to update. All SPDK versions < 19.07 are affected.
+
 ### thread
 
 Exposed spdk_set_thread() in order for applications to associate