diff --git a/ChangeLog b/ChangeLog
index 3c5caec9..dc0f6cd4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2009-08-27  Micah Cowan  <micah@cowan.name>
+
+	* NEWS: Add mention of the NUL characters SSL security fix.
+
 2009-07-28  Micah Cowan  <micah@cowan.name>
 
 	* NEWS: Mention some more previously undocumented items, the
diff --git a/NEWS b/NEWS
index 559558e7..87bd21c0 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,10 @@ Please send GNU Wget bug reports to <bug-wget@gnu.org>.
 
 ** Mailing list MOVED to bug-wget@gnu.org
 
+** SECURITY FIX: It had been possible to trick Wget into accepting
+SSL certificates that don't match the host name, through the trick of
+embedding NUL characters into the certs' common name.
+
 ** Added support for CSS. This includes:
      - Parsing links from CSS files, and from CSS content found in HTML
        style tags and attributes.