diff --git a/CHANGES b/CHANGES
index eba74fc287..88ce88fbd7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+7.0.3 | 2024-10-04 15:42:14 -0700
+
+  * Update CHANGES, VERSION, and NEWS for 7.0.3 release (Christian Kreibich, Corelight)
+
 7.0.2-5 | 2024-10-04 10:46:01 -0700
 
   * Merge remote-tracking branch 'security/topic/awelzel/215-pop3-mail-null-deref' (Christian Kreibich, Corelight)
diff --git a/NEWS b/NEWS
index 18a0fe49a3..e96b28f4d3 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,21 @@ This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)
 
+Zeek 7.0.3
+==========
+
+This release fixes the following security issue:
+
+- Adding to the POP3 hardening in 7.0.2, the parser now simply discards too many
+  pending commands, rather than any attempting to process them. Further, invalid
+  server responses do not result in command completion anymore.  Processing
+  out-of-order commands or finishing commands based on invalid server responses
+  could result in inconsistent analyzer state, potentially triggering null
+  pointer references for crafted traffic.
+
+This release ships with Spicy 1.11.3, a bugfix release. Please refer to its
+release notes for details.
+
 Zeek 7.0.2
 ==========
 
diff --git a/VERSION b/VERSION
index 189fa8c988..a50da181e9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.0.2-5
+7.0.3