diff --git a/release-notes/CREDITS b/release-notes/CREDITS
index 092a4f0b97..c321eb2814 100644
--- a/release-notes/CREDITS
+++ b/release-notes/CREDITS
@@ -496,3 +496,7 @@ Diego de Estrada (diegode@github)
 Kevin Hogeland (khogeland@github)
   * Reported #1501: `ArrayIndexOutOfBoundsException` on non-static inner class constructor
    (2.7.9)
+
+xiexq (xiexq@knownsec.com)
+  * Reported #2389: Block one more gadget type (CVE-2019-14361)
+   (2.7.9.6)
diff --git a/release-notes/VERSION b/release-notes/VERSION
index 421a229ad5..e580ae33db 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -11,7 +11,8 @@ Project: jackson-databind
 #2334: Block class for CVE-2019-12384
 #2341: Block class for CVE-2019-12814
 #2387: Block yet another deserialization gadget (EHCache, CVE-2019-xxxxx?)
-#2389: Block yet another deserialization gadget (Logback, CVE-2019-xxxxx?)
+#2389: Block yet another deserialization gadget (CVE-2019-14439)
+ (reported by xiexq)
 
 2.7.9.5 (23-Nov-2018)