diff --git a/CHANGES.md b/CHANGES.md
index 011374e607..5672caec54 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -8,7 +8,15 @@
 
 - Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
 
+# Synapse 1.138.3 (2025-10-07)
 
+## Security Fixes
+
+- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
+
+## Deprecations and Removals
+
+- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
 
 # Synapse 1.139.0 (2025-09-30)
 
diff --git a/debian/changelog b/debian/changelog
index fe8321d803..a666727c87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,12 @@ matrix-synapse-py3 (1.139.1) stable; urgency=medium
 
  -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 11:46:51 +0100
 
+matrix-synapse-py3 (1.138.3) stable; urgency=medium
+
+  * New Synapse release 1.138.3.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 12:54:18 +0100
+
 matrix-synapse-py3 (1.139.0) stable; urgency=medium
 
   * New Synapse release 1.139.0.