Added release notes

docs/releasenotes/8.3.0.rst

@@ -61,7 +61,17 @@ format, through the new ``bitmap_format`` argument::
 Security
 ========
 
-TODO
+Parsing XML
+^^^^^^^^^^^
+
+Pillow previously parsed XMP data using Python's ``xml`` module. However, this module
+is not secure.
+
+- :py:meth:`~PIL.Image.Image.getexif` has used ``xml`` to potentially retrieve
+  orientation data since Pillow 7.2.0. It has been refactored to use ``re`` instead.
+- :py:meth:`~PIL.JpegImagePlugin.JpegImageFile.getxmp` was added Pillow 8.2.0. It will
+  now use ``defusedxml`` instead. If the dependency is not present, an empty dictionary
+  will be returned and a warning raised.
 
 Other Changes
 =============