From 18d0bd66da2be86c1c54610cc76d1813c22fd564 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 19 Jan 2026 09:39:39 +0100
Subject: [PATCH 1/3] changelog

---
 ChangeLog | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index adefd5906..5bc755931 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,33 @@
+# 2026-01-19 Version 3.21.0
+
+Bugfix release with a few new API functions addressing shortcomings with
+regard to input data validation.
+Thanks to @ehdgks0627 we have fixed the following additional (medium)
+client side vulnerabilities:
+* CVE-2026-23530
+* CVE-2026-23531
+* CVE-2026-23532
+* CVE-2026-23533
+* CVE-2026-23534
+* CVE-2026-23732
+* CVE-2026-23883
+* CVE-2026-23884
+
+## What's Changed
+* [client,sdl] fix monitor resolution (#12142)
+* [codec,progressive] fix progressive_rfx_upgrade_block (#12143)
+* Krb cache fix (#12145)
+* Rdpdr improved checks (#12141)
+* Codec advanced length checks (#12146)
+* Glyph fix length checks (#12151)
+* Wlog printf format string checks (#12150)
+* [warnings,format] fix format string warnings (#12152)
+* Double free fixes (#12153)
+* [clang-tidy] clean up code warnings (#12154)
+
+For a complete and detailed change log since the last release run:
+git log 3.21.0...3.20.2
+
 # 2026-01-14 Version 3.20.2
 
 Patch release fixing a regression with gateway connections introduced with 3.20.1

From 6f5d0048f006a2d2ffc9b9fa05f0e98db464c5a4 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 19 Jan 2026 09:40:08 +0100
Subject: [PATCH 2/3] release 3.21.0

---
 cmake/GetProjectVersion.cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake/GetProjectVersion.cmake b/cmake/GetProjectVersion.cmake
index 80710f364..c366a9f2d 100644
--- a/cmake/GetProjectVersion.cmake
+++ b/cmake/GetProjectVersion.cmake
@@ -4,7 +4,7 @@ option(USE_GIT_FOR_REVISION "Extract git tag/commit" OFF)
 function(get_project_version VERSION_MAJOR VERSION_MINOR VERSION_REVISION VERSION_SUFFIX GIT_REVISION)
 
   # Default version, hard codec per release
-  set(RAW_VERSION_STRING "3.20.3-dev0")
+  set(RAW_VERSION_STRING "3.21.0")
 
   set(VERSION_REGEX "^(.*)([0-9]+)\\.([0-9]+)\\.([0-9]+)-?(.*)")
 

From 10440d2ef615be354e89c2b4ddd218ad6b956f41 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 19 Jan 2026 09:40:26 +0100
Subject: [PATCH 3/3] dev cycle 3.21.1-dev0

---
 cmake/GetProjectVersion.cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake/GetProjectVersion.cmake b/cmake/GetProjectVersion.cmake
index c366a9f2d..9f428b794 100644
--- a/cmake/GetProjectVersion.cmake
+++ b/cmake/GetProjectVersion.cmake
@@ -4,7 +4,7 @@ option(USE_GIT_FOR_REVISION "Extract git tag/commit" OFF)
 function(get_project_version VERSION_MAJOR VERSION_MINOR VERSION_REVISION VERSION_SUFFIX GIT_REVISION)
 
   # Default version, hard codec per release
-  set(RAW_VERSION_STRING "3.21.0")
+  set(RAW_VERSION_STRING "3.21.1-dev0")
 
   set(VERSION_REGEX "^(.*)([0-9]+)\\.([0-9]+)\\.([0-9]+)-?(.*)")