diff --git a/CHANGES b/CHANGES
index 2ec5d0070d..4497a3f4a5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5.3 | 2018-02-13 09:35:56 -0800
+
+  * Release 2.5.3. (Johanna Amann)
+
+	* Patch in Binpac submodule that fixes an integer overflow
+	  (Philippe Antoine/Catena cyber).
+
 2.5.2 | 2017-10-16 13:37:47 -0700
 
   * Release 2.5.2
@@ -6,7 +13,7 @@
   * Patch OOB write in content-line analyzer.
 
     A combination of packets can trigger an out of bound write of '0' byte
-    in the content-line analyzer. Addresses BIT-1856.
+    in the content-line analyzer. Addresses BIT-1856/CVE-2017-1000458.
     (Frank Meier/Johanna Amann)
 
 2.5.1 | 2017-06-26 15:55:45 -0700
diff --git a/NEWS b/NEWS
index fcd29de834..9fde6bec7d 100644
--- a/NEWS
+++ b/NEWS
@@ -4,13 +4,22 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+Bro 2.5.3
+=========
+
+Bro 2.5.3 fixes a security issue in Binpac generated code. In some cases
+the code generated by binpac could leat to an integer overflow which can
+lead to out of bound reads and allow a remote attacker to crash Bro; there
+is also a possibility that this can be exploited in other ways.
+
 Bro 2.5.2
 =========
 
 Bro 2.5.2 fixes a security issue in the ContentLine analyzer. In rare cases
 a bug in the ContentLine analyzer can lead to an out of bound write of a single
 byte. This allows a remote attacker to crash Bro; there also is a possibility
-this can be exploited in other ways.
+this can be exploited in other ways. CVE-2017-1000458 has been assigned to this
+issue.
 
 Bro 2.5.1
 =========
diff --git a/VERSION b/VERSION
index f225a78adf..aedc15bb0c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5.2
+2.5.3
diff --git a/aux/binpac b/aux/binpac
index 27356ae52f..2632263eab 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704
+Subproject commit 2632263eab3a74ee1a5b94b79a10dbfb7950f761