--- a/CHANGES	Tue Mar 15 23:20:40 2016 +0800
+++ b/CHANGES	Fri Mar 18 22:47:33 2016 +0800
@@ -1,4 +1,4 @@
-- Fix crash when fallback initshells() is used, reported by Michael Nowak and Mike Tzou
+2016.73 - 18 March 2016
 
 - Support syslog in dbclient, option -o usesyslog=yes. Patch from Konstantin Tokarev
 
@@ -9,18 +9,29 @@
 - New "-o" option parsing from Konstantin Tokarev. This allows handling some extra options
   in the style of OpenSSH, though implementing all OpenSSH options is not planned.
 
-- Various cleanups for issues found by a lint tool, patch from Francois Perrad
+- Fix crash when fallback initshells() is used, reported by Michael Nowak and Mike Tzou
 
 - Allow specifying commands eg "dropbearmulti dbclient ..." instead of symlinks
 
+- Various cleanups for issues found by a lint tool, patch from Francois Perrad
+
 - Fix tab indent consistency, patch from Francois Perrad
 
 - Fix issues found by cppcheck, reported by Mike Tzou
 
+- Use system memset_s() or explicit_bzero() if available to clear memory. Also make
+  libtomcrypt/libtommath routines use that (or Dropbear's own m_burn()).
+
+- Prevent scp failing when the local user doesn't exist. Based on patch from Michael Witten.
+
+- Improved Travis CI test running, thanks to Mike Tzou
+
+- Improve some code that was flagged by Coverity and Fortify Static Code Analyzer
+
 2016.72 - 9 March 2016
 
 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
-  found by github.com/tintinweb. Thanks for Damien Miller for a patch.
+  found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
 
 2015.71 - 3 December 2015