update release notes to include cve fix

commit: 64611e15c7cd89e6bcd3ac573108b18b47f0830c [log] [tgz]
author: Pietro Albini <pietro.albini@ferrous-systems.com> Thu Aug 03 11:06:10 2023 +0200
committer: Pietro Albini <pietro.albini@ferrous-systems.com> Thu Aug 03 11:06:10 2023 +0200
tree: 197f7a38719bc555b3d1e3f974a8a714c624658d
parent: 20d5786fe2cca68f389c03d4b4f079294ba32912 [diff]
diff --git a/RELEASES.md b/RELEASES.md
index 165709e..f719a2f 100644
--- a/RELEASES.md
+++ b/RELEASES.md

@@ -1,6 +1,7 @@
 Version 1.71.1 (2023-08-03)
 ===========================
 
+- [Fix CVE-2023-38497: Cargo did not respect the umask when extracting dependencies](https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87)
 - [Fix bash completion for users of Rustup](https://github.com/rust-lang/rust/pull/113579)
 - [Do not show `suspicious_double_ref_op` lint when calling `borrow()`](https://github.com/rust-lang/rust/pull/112517)
 - [Fix ICE: substitute types before checking inlining compatibility](https://github.com/rust-lang/rust/pull/113802)
commit	64611e15c7cd89e6bcd3ac573108b18b47f0830c	[log] [tgz]
author	Pietro Albini <pietro.albini@ferrous-systems.com>	Thu Aug 03 11:06:10 2023 +0200
committer	Pietro Albini <pietro.albini@ferrous-systems.com>	Thu Aug 03 11:06:10 2023 +0200
tree	197f7a38719bc555b3d1e3f974a8a714c624658d
parent	20d5786fe2cca68f389c03d4b4f079294ba32912 [diff]