diff --git a/CHANGES b/CHANGES
index 7b1e2da7337a211283a3e424eb952aea95e942e4..d9d6029dbe1b6d20e7ab2e94a206be6353e4f030 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2016.72 - 9 March 2016
+
+- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
+  found by github.com/tintinweb. Thanks for Damien Miller for a patch.
+
 2015.71 - 3 December 2015
 
 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
diff --git a/sysoptions.h b/sysoptions.h
index a29cbbe32b373c4252e2ff6fb47d646105ff02d4..85ef71871bcd2ae478a6bcb522a7b5bc959ffed4 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -4,7 +4,7 @@
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2015.71"
+#define DROPBEAR_VERSION "2016.72"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION