Added release notes

docs/releasenotes/10.2.0.rst

@@ -39,10 +39,13 @@ enums have been added to :py:class:`PIL.DdsImagePlugin`.
 Security
 ========
 
-TODO
-^^^^
+Restrict environment dictionary keys for ImageMath.eval
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-TODO
+:cve:`2023-50447`: If an attacker has control over the keys passed to the
+``environment`` argument of :py:meth:`PIL.ImageMath.eval`, they may be able to execute
+arbitrary code. To prevent this, keys matching the names of builtins and keys
+containing double underscores will now raise a :py:exc:`ValueError`.
 
 Other Changes
 =============