diff --git a/CHANGELOG.md b/CHANGELOG.md
index d20329e..ffadb81 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,36 @@
+## stable-4384
+
+Based on stable release 4384.
+
+* 1ffd472 security: add script to generate strong passwords
+* a015710 security: don't provide default passwords
+* aaec22d jigasi: fix typo in config
+* ebfa142 docs: fix grammar and typos
+* bab77e0 doc: update env.example
+* 7652807 examples: traefik v2
+* 10983b4 prosody: prevent item-not-found error in certain cases
+* 3524a52 base: fail to start the container if the init script fails
+* 7c0c795 jicofo: only configure Jigasi brewery if Jigasi is configured
+* 40c2920 build: add prepare command
+* 93ba770 prosody: fix installing prosody from the right repository
+* 3c07d76 doc: improve wording of README
+* ed410d9 doc: fix typo
+* fabfb2a doc: fix typo
+* 5e6face web: use PUBLIC_URL for etherpaad base and BOSH URLs
+* 264df04 jvb: switch to using Jitsi's STUN server by default
+* 655cf6b web,prosody,jvb: prepare for new stable release
+* ebb4536 doc: update CHANGELOG
+* 06c3a83 doc: fix references to running behind NAT in the README
+
+**Important security note: ** Previous releases included default passwords for
+system accounts, and users who didn't change them are at risk of getting
+the authentication system circumvented by an attacker using a system account
+with the default password. Please update and use the provided script
+(instructions on the README) to generate a strong password for each system
+account.
+
+Thanks joernchen for the security report.
+
 ## stable-4101-2
 
 Based on stable release 4101.