diff --git a/ChangeLog b/ChangeLog
index 44b4598a..d4d65e35 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,26 @@
+2024-06-11  Omar Polo  <op@omarpolo.com>
+
+	* configure (VERSION): release 2.0.5
+
+2024-06-10  Omar Polo  <op@omarpolo.com>
+
+	* don't error on a '..' component at the start of the path
+	* reject NUL bytes embedded in the request
+
+2024-06-09  Omar Polo  <op@omarpolo.com>
+
+	* check for truncation various strlcpy calls.
+	* clean up of a few unused prototypes and externs.
+
+2024-06-08  Omar Polo  <op@omarpolo.com>
+
+	* configure: change how strnvis(3) is handled: on systems
+	with the broken interface gmid will just use its built-in
+	version.
+
 2024-06-06  Omar Polo  <op@omarpolo.com>
 
+	* parse.y: allow again empty lines at the start of the config
 	* configure (VERSION): release 2.0.4
 	* portability fix for system with a wrong strnvis(3)
 
diff --git a/site/changelog.gmi b/site/changelog.gmi
index e5465458..13228891 100644
--- a/site/changelog.gmi
+++ b/site/changelog.gmi
@@ -1,5 +1,14 @@
 # change log
 
+## 2024/06/11 - 2.0.5 “Lady Stardust” security release
+
+This release fixes a logic error that can result in a DoS; therefore is a strongly reccomended update for all users.  It's safe to update to it from any version of the 2.0.x series.
+
+* allow again empty lines at the start of the configuration file
+* change how strnvis(3) is handled: on systems with the broken interface gmid will just use its own built-in version
+* reject requests with NUL bytes in them.
+* don't error on a '..' component at the start of the path.
+
 ## 2024/06/06 - 2.0.4 “Lady Stardust” bugfix release
 
 * add a nicer error message if the removed `cgi' option is still used.  Reported by freezr.