diff --git a/CHANGES b/CHANGES
index 9e6c7f9dbb7..554419bd7e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -14,6 +14,12 @@ Authentication:
    By default this is disabled (secrets are stored in the .ini)
    but can be enabled via the .ini configuration key `use_users_db`
    in the `couch_httpd_oauth` section.
+ * Documents in the _users database are no longer publically
+   readable.
+ * Confidential information in the _replication database is no
+   longer publically readable.
+ * Password hashes are now calculated by CouchDB. Clients are no
+   longer required to do this manually.
 
 Build System:
 
@@ -65,6 +71,8 @@ Storage System:
 
 View Server:
 
+ * Add CoffeeScript (http://coffeescript.org/) as a first class view server
+   language.
  * Fixed old index file descriptor leaks after a view cleanup.
 
 OAuth:
diff --git a/NEWS b/NEWS
index 51aa1c7ec14..244ce9b3eae 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,11 @@ This version has not been released yet.
    a filter. It affected continuous pull replications with a filter.
  * Fix use of OAuth with VHosts and URL rewriting.
  * OAuth secrets can now be stored in the users system database.
+ * Documents in the _users database can no longer be read by everyone.
+ * Confidential information in the _replication database can no longer
+   be read by everyone.
+ * Password hashes are now calculated by CouchDB instead of the
+   client.
 
 Version 1.1.2
 -------------