diff --git a/CHANGES b/CHANGES
index 0979291a52..746b7357a3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,27 @@
+6.1.1 | 2024-01-19 08:58:08 -0700
+
+  * Update CHANGES, VERSION, and NEWS for 6.1.1 (Tim Wojtulewicz)
+
+  * MIME: Cap nested MIME analysis depth to 100 (Arne Welzel, Corelight)
+
+    OSS-Fuzz managed to produce a MIME multipart message construction with
+    thousands of nested entities (or that's what Zeek makes out of it anyhow).
+    Prevent such deep analysis by capping at a nesting depth of 100,
+    preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth
+    is reported when this limit is reached.
+
+    This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds
+    to ~2.5 seconds.
+
+    The test PCAP was produced from a Python script using the email package
+    and sending the rendered version via POST to a HTTP server.
+
+    (cherry picked from commit 997c017df937ea47d999d9724e247c3d0e38e509)
+
+  * GH-3177: Make sure Spicy symbols are available. (Benjamin Bannier, Corelight)
+
+    (cherry picked from commit 638e8a051959c869261b46ebc56e1bce80d200b0)
+
 6.1.0-31 | 2024-01-18 16:25:51 -0700
 
   * CI: Remove unused openssl30_config (Tim Wojtulewicz, Corelight)
diff --git a/NEWS b/NEWS
index f71d7dab3a..7fd9945711 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,15 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 Zeek 6.1.1
 ==========
 
+This release fixes the following security issues:
+
+- A specially-crafted series of packets containing nested MIME entities can
+  cause Zeek to spend large amounts of time parsing the entities. Due to the
+  possibility of receiving these packets from remote hosts, this is a DoS
+  risk.The fix included adds a new option (MIME::max_depth) to the MIME parser
+  that limits the depth the parser will attempt to follow the entity nesting. If
+  the limit is reached an exceeded_mime_max_depth weird is generated.
+
 This release fixes the following bugs:
 
 - CMake correctly passes along third-party package information when building
@@ -29,6 +38,9 @@ This release fixes the following bugs:
   the &create_expire attribute intact. This broke the "log hosts every 24h"
   behavior.
 
+- Zeek builds using the --binary-package argument and including Spicy will now
+  include all necessary Spicy symbols.
+
 Zeek 6.1.0
 ==========
 
diff --git a/VERSION b/VERSION
index a625b8905b..f3b5af39e4 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.1.0-31
+6.1.1