Added CVE number to escaping issue in changelog [skip ci]

framework/CHANGELOG.md

@@ -4,7 +4,7 @@ Yii Framework 2 Change Log
 2.0.13 under development
 ------------------------
 
-- Enh #14022: `yii\web\UrlManager::setBaseUrl()` now supports aliases (dmirogin)
+- Enh #14022: `yii\web\UrlManager::setBaseUrl()` now supports al14492iases (dmirogin)
 - Bug #14471: `ContentNegotiator` will always set one of the configured server response formats even if the client does not accept any of them (PowerGamer1)
 - Bug #14525: Fixed 2.0.12 regression of loading of global fixtures trough `yii fixture/load` (michaelarnauts)
 - Bug #14523: Added `yii\web\MultipartFormDataParser::$force` option allowing to enforce parsing even on 'POST' request (klimov-paul)
@@ -48,7 +48,7 @@ Yii Framework 2 Change Log
 - Bug #14318: Trigger `yiiActiveForm.events.afterValidateAttribute` after updating attribute  (dmirogin)
 - Bug #14493: Fixed getting permissions in `yii\rbac\Dbmanger::getPermissionsByUser` by user with id equals 0 (dmirogin)
 - Bug #14370: Fixed creating built-in validator in model with same function name (dmirogin)
-- Bug #14492: Fixed error handler not escaping error info debug mode (samdark)
+- Bug #14492: Fixed error handler not escaping error info debug mode, see CVE-2017-11516 (samdark)
 - Chg #14487: Changed i18n message error to warning (dmirogin)
 - Enh #7823: Added `yii\filters\AjaxFilter` filter (dmirogin)
 - Enh #14363: Added `yii\widgets\LinkPager::$linkContainerOptions` and possibility to override tag in `yii\widgets\LinkPager::$options` (dmirogin)