Fix CVE references.

ChangeLog.txt

@@ -29,15 +29,15 @@ Clients:
 ==================
 
 Security:
-- CVE-2021-23980: If an authenticated client connected with MQTT v5 sent a
+- CVE-2021-28166: If an authenticated client connected with MQTT v5 sent a
  malformed CONNACK message to the broker a NULL pointer dereference occurred,
  most likely resulting in a segfault.
  Affects versions 2.0.0 to 2.0.9 inclusive.
 
 Broker:
 - Don't over write new receive-maximum if a v5 client connects and takes over
  an old session. Closes #2134.
-- Fix CVE-xxxx-xxxx. Closes #2163.
+- Fix CVE-2021-28166. Closes #2163.
 
 Clients:
 - Set `receive-maximum` to not exceed the `-C` message count in mosquitto_sub
@@ -1251,8 +1251,8 @@ Build:
 ==============
 
 Security:
-- Fix memory leak that could be caused by a malicious CONNECT packet. This
- does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)
+- Fix memory leak that could be caused by a malicious CONNECT packet.
+ CVE-2017-7654. Closes #533493 (on Eclipse bugtracker)
 
 Broker features:
 - Add per_listener_settings to allow authentication and access control to be