Update NEWS file

Author: adoy

NEWS

@@ -62,6 +62,12 @@ PHP                                                                        NEWS
     (SakiTakamachi)
   . Fixed bug GH-13203 (file_put_contents fail on strings over 4GB on Windows).
     (divinity76)
+  . Fixed bug GHSA-pc52-254m-w9w7 (Command injection via array-ish $command
+    parameter of proc_open). (CVE-2024-1874) (Jakub Zelenka)
+  . Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
+    partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
+  . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
+    opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
 
 - XML:
   . Fixed bug GH-13517 (Multiple test failures when building with