--- a/CHANGES.txt	Mon Jan 05 16:38:30 2015 +0100
+++ b/CHANGES.txt	Sat Jan 17 21:06:04 2015 +0300
@@ -120,13 +120,6 @@
   include the email addresses, depending on your installation you may
   want to further restrict this or add some attributes like ``address``
   and ``alternate_addresses``. (Ralf Schlatterbeck)
-- Security: Attached html files are not shipped as text/html by default,
-  unless ``allow_html_file`` is specified in the configuration.
-  Unfortunately some browsers want to be helpful and render other
-  non-standard content types as html. We now change this to
-  application/octet-stream whenever 'html' is contained in the string
-  (case insensitive). Thanks to Kay Hayen for reporting and helping
-  debug this. (Ralf Schlatterbeck)
 - Correctly recreate the database directory when re-initialising a tracker
   instance. (John Kristensen)
 - In case of an error, date fields would lose the calendar help, fixed.
@@ -140,6 +133,13 @@
   restore web presence for "Roundup’s Design Document" (anatoly techtonik)
 - Template jinja2: Updated URL to point to http://www.roundup-tracker.org/
   (Bernhard Reiter)
+- Security: Add mime-type whitelist for attachmens that can be safely
+  rendered from Roundup without trigerring security bugs in browser
+  plugins, XSS issues and spam. The option ``allow_html_file`` didn't
+  provide protection for invalid content-type, in which case browser
+  tried to guess the best one. Thanks to Kay Hayen for reporting and
+  helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik)
+
 
 
 2013-07-06: 1.5.0