diff --git a/NEWS b/NEWS
index 24522397..e778f760 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,28 @@
+Changes in 1.8.7
+~~~~~~~~~~~~~~~~
+Released: 2022-02-03
+
+This is a security update that fixes two issues that were found in flatpak:
+
+https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
+(also known as CVE-2021-43860)
+
+This issue is about the possibility for a malicious repository to send
+invalid application metadata in a way that hides some of the app
+permissions displayed during installation.
+
+https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
+(also known as CVE-2022-21682)
+
+This issue is a problem with how flatpak-builder uses flatpak, that
+can cause `flatpak-builder --mirror-screenshots-url` commands to be
+allowed to create directories outside of the build directory.
+
+The fix for this is is the addition of a new option
+`--nofilesystem=host:reset`, which in addition to behaving like
+`--nofilesystem=host`, the new option prevents filesystem permissions
+from being inherited from the app manifest.
+
 Changes in 1.8.6
 ~~~~~~~~~~~~~~~~
 Released: 2022-01-24