diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cb929eca5..a784d075d4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -82,7 +82,7 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 
 ## RELEASE NOTES
 
-## [2.3.1] TBD
+## [2.3.1] June 09, 2022
 [2.3.1]: https://github.com/emissary-ingress/emissary/compare/v2.3.0...v2.3.1
 
 ### Emissary-ingress and Ambassador Edge Stack
@@ -92,6 +92,12 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
   startup. This issue has been resolved to ensure that the defaults are only applied when driver is
   `zipkin` ([#4267])
 
+- Security: We have backported patches from the Envoy 1.19.5 security update to Emissary-ingress's
+  1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225.  Emissary-ingress is not affected
+  by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
+  href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
+  redirects</a>, and does not use Envoy's built-in OAuth2 filter.
+
 [#4267]: https://github.com/emissary-ingress/emissary/issues/4267
 
 ## [2.3.0] June 06, 2022
diff --git a/_cxx/envoy.mk b/_cxx/envoy.mk
index 1be68204ff..8f0609105d 100644
--- a/_cxx/envoy.mk
+++ b/_cxx/envoy.mk
@@ -13,7 +13,7 @@ RSYNC_EXTRAS ?=
 
 # IF YOU MESS WITH ANY OF THESE VALUES, YOU MUST RUN `make update-base`.
   ENVOY_REPO ?= $(if $(IS_PRIVATE),git@github.com:datawire/envoy-private.git,https://github.com/datawire/envoy.git)
-  ENVOY_COMMIT ?= 4ce93dc3ace00ae9108b179d0afaceac13f4602a
+  ENVOY_COMMIT ?= 8151e9a87cde33721a1b1f864d0c54ae72e4aa78
   ENVOY_COMPILATION_MODE ?= opt
   # Increment BASE_ENVOY_RELVER on changes to `docker/base-envoy/Dockerfile`, or Envoy recipes.
   # You may reset BASE_ENVOY_RELVER when adjusting ENVOY_COMMIT.
diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml
index 685407e06c..0b54f1b7d3 100644
--- a/docs/releaseNotes.yml
+++ b/docs/releaseNotes.yml
@@ -33,7 +33,7 @@
 changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
 items:
   - version: 2.3.1
-    date: "TBD"
+    date: '2022-06-09'
     notes:
       - title: fix regression in tracing service config
         type: bugfix
@@ -44,6 +44,15 @@ items:
         github:
           - title: "#4267"
             link: https://github.com/emissary-ingress/emissary/issues/4267
+      - title: Envoy security updates
+        type: security
+        body: >-
+          We have backported patches from the Envoy 1.19.5 security update to $productName$'s
+          1.17-based Envoy, addressing CVE-2022-29224 and CVE-2022-29225.  $productName$ is not
+          affected by CVE-2022-29226, CVE-2022-29227, or CVE-2022-29228; as it <a
+          href="https://github.com/emissary-ingress/emissary/issues/2846">does not support internal
+          redirects</a>, and does not use Envoy's built-in OAuth2 filter.
+        docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
   - version: 2.3.0
     date: '2022-06-06'
     notes: