diff --git a/CHANGELOG.md b/CHANGELOG.md
index 028fb4cb..b8cf3ab7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,11 @@ and this project adheres to
 
 ### Changed
 
+- Domain-specific private reverse DNS upstream servers are now validated to
+  allow only `*.in-addr.arpa` and `*.ip6.arpa` domains pointing to
+  locally-served networks ([#3381]).  **Note:**  If you already have invalid
+  entries in your configuration, consider removing them manually, since they
+  essentially had no effect.
 - Response filtering is now performed using the record types of the answer
   section of messages as opposed to the type of the question ([#4238]).
 - Instead of adding the build time information, the build scripts now use the
@@ -72,6 +77,7 @@ In this release, the schema version has changed from 12 to 13.
 [#2993]: https://github.com/AdguardTeam/AdGuardHome/issues/2993
 [#3057]: https://github.com/AdguardTeam/AdGuardHome/issues/3057
 [#3367]: https://github.com/AdguardTeam/AdGuardHome/issues/3367
+[#3381]: https://github.com/AdguardTeam/AdGuardHome/issues/3381
 [#4221]: https://github.com/AdguardTeam/AdGuardHome/issues/4221
 [#4238]: https://github.com/AdguardTeam/AdGuardHome/issues/4238
 
@@ -90,10 +96,18 @@ See also the [v0.107.4 GitHub milestone][ms-v0.107.4].
 - Unnecessarily complex hosts-related logic leading to infinite recursion in
   some cases ([#4216]).
 
+### Security
+
+- Go version was updated to prevent the possibility of exploiting
+  [CVE-2022-23806], [CVE-2022-23772], and [CVE-2022-23773].
+
 [#4216]: https://github.com/AdguardTeam/AdGuardHome/issues/4216
 [#4254]: https://github.com/AdguardTeam/AdGuardHome/issues/4254
 
-[ms-v0.107.4]: https://github.com/AdguardTeam/AdGuardHome/milestone/41?closed=1
+[CVE-2022-23772]: https://www.cvedetails.com/cve/CVE-2022-23772
+[CVE-2022-23773]: https://www.cvedetails.com/cve/CVE-2022-23773
+[CVE-2022-23806]: https://www.cvedetails.com/cve/CVE-2022-23806
+[ms-v0.107.4]:    https://github.com/AdguardTeam/AdGuardHome/milestone/41?closed=1