From fcd093f3017f623cf9a2ea74e5c182f3a6f9d2cc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Wed, 9 Aug 2017 10:23:47 +0200
Subject: [PATCH] release 1.3.3

---
 NEWS      | 8 +++++++-
 config.mk | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index e4248ed7e..445d7bcbf 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
-Knot Resolver 1.3.3 (2017-0_-__)
+Knot Resolver 1.3.3 (2017-08-09)
 ================================
 
+Security
+--------
+- Fix a critical DNSSEC flaw.  Signatures might be accepted as valid
+  even if the signed data was not in bailiwick of the DNSKEY used to
+  sign it, assuming the trust chain to that DNSKEY was valid.
+
 Bugfixes
 --------
 - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
diff --git a/config.mk b/config.mk
index e7db4577a..d688dc0ec 100644
--- a/config.mk
+++ b/config.mk
@@ -1,7 +1,7 @@
 # Project
 MAJOR := 1
 MINOR := 3
-PATCH := 2
+PATCH := 3
 EXTRA :=
 ABIVER := 3
 BUILDMODE := dynamic
-- 
2.47.2