2 files changed, 10 insertions, 8 deletions

diff --git a/doc/news/version_3.20160905.mdwn b/doc/news/version_3.20160905.mdwn
deleted file mode 100644
index 9bd925bf6..000000000
--- a/doc/news/version_3.20160905.mdwn
+++ /dev/null
@@ -1,8 +0,0 @@
-ikiwiki 3.20160905 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ Joey Hess ]
-   * Fix installation when prefix includes a string metacharacter.
-     Thanks, Sam Hathaway.
- * [ Simon McVittie ]
-   * Use git log --no-renames to generate recentchanges, fixing the git
-     test-case with git 2.9 (Closes: #[835612](http://bugs.debian.org/835612))"""]]
\ No newline at end of file
diff --git a/doc/news/version_3.20170111.mdwn b/doc/news/version_3.20170111.mdwn
new file mode 100644
index 000000000..03b2ac2c4
--- /dev/null
+++ b/doc/news/version_3.20170111.mdwn
@@ -0,0 +1,10 @@
+ikiwiki 3.20170111 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * passwordauth: prevent authentication bypass via multiple name
+     parameters (CVE-2017-0356, OVE-20170111-0001)
+   * passwordauth: avoid userinfo forgery via repeated email parameter
+     (also in the scope of CVE-2017-0356)
+   * CGI, attachment, passwordauth: harden against repeated parameters
+     (not believed to have been a vulnerability)
+   * remove: make it clearer that repeated page parameter is OK here
+   * t/passwordauth.t: new automated test for passwordauth"""]]
\ No newline at end of file