diff --git a/NEWS b/NEWS
index a5c59f0d..d5a816b4 100644
--- a/NEWS
+++ b/NEWS
@@ -2,9 +2,24 @@ GNU Bison NEWS
 
 * Noteworthy changes in release ?.? (????-??-??) [?]
 
+  This release of Bison fixes all known bugs reported for Bison in MITRE's
+  Common Vulnerabilities and Exposures (CVE) system.  These vulnerabilities
+  are only about bison-the-program itself, not the generated code.
+
+  Although these bugs are typically irrelevant to how Bison is used, they
+  are worth fixing if only to give users peace of mind.
+
+  There is no known vulnerability in the generated parsers.
+
 ** Bug fixes
 
-  Push parsers use YYMALLOC/YYFREE instead of direct calls to malloc/free.
+  Push parsers always use YYMALLOC/YYFREE (no direct calls to malloc/free).
+
+  Portability issues of the test suite, and of bison itself.
+
+  Some unlikely crashes found by fuzzing have been fixed.  This is only
+  about bison itself, not the generated parsers.
+
 
 * Noteworthy changes in release 3.7.1 (2020-08-02) [stable]
 
@@ -560,7 +575,8 @@ GNU Bison NEWS
   \005) with incorrect styling.  Fixes for similar issues with unexpectedly
   short lines (e.g., the file was changed between parsing and diagnosing).
 
-  Several unlikely crashes found by fuzzing have been fixed.
+  Some unlikely crashes found by fuzzing have been fixed.  This is only
+  about bison itself, not the generated parsers.
 
 
 * Noteworthy changes in release 3.5.2 (2020-02-13) [stable]
diff --git a/TODO b/TODO
index b8b2befb..e9874678 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,12 @@
-* Bison 3.7
+* Soon
+** gnulib
+Bruno notes:
+
+> I haven't looked deeply, but it strikes me that gnulib/lib/bitset/array.c
+> does not make use of the 'ffsl' function, nor or the 'integer_length_l'
+> function. Maybe because in Bison, all bitsets are so dense that it does
+> not give a performance advantage?
+
 ** Cex
 *** Improve gnulib
 Don't do this (counterexample.c):