diff --git a/docs/en/04_Changelogs/3.1.9.md b/docs/en/04_Changelogs/3.1.9.md
index 431e53186..81a452edf 100644
--- a/docs/en/04_Changelogs/3.1.9.md
+++ b/docs/en/04_Changelogs/3.1.9.md
@@ -1,14 +1,60 @@
 # 3.1.9
 
-# Overview
-
-This release replaces the 3.1.8 release, and resolves an issue where basic authentication would not work when PHP is running under CGI mode with Apache.
-
 ## Upgrading
- * Add the rule ```	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]``` to the .htacces file in your sites root directory after the line ```RewriteEngine On```.  
+
+### File permissions
+
+This release makes an important change to File DataObject permissions in order to close a vulnerability in
+file modification privileges.
+
+By default the minimum necessary permission required by any user to modify files has been changed
+to CMS_ACCESS_AssetAdmin. If you need unauthenticated users, or users with other rights, to edit certain
+files, then you will need to customise this.
+
+E.g.
+
+	:::php
+	<?php
+	class FileSecurityExtension extends DataExtension {
+		public function canEdit($member) {
+			return Permission::checkMember($member, 'MyCustomPermission');
+		}
+	}
+
+An example use case is when you want to use UploadField on the frontend, where files could be uploaded
+by non-admin users, and your above logic will need to ensure that those users can edit their own files
+after they have uploaded it.
+
+## Security
+
+This release includes an important security fix.
+
+ * 2015-01-12 [c49f164](https://github.com/silverstripe/silverstripe-framework/commit/c49f164) Fix file and uploadfield permissions [SS-2014-018](http://www.silverstripe.org/software/download/security-releases/ss-2014-018-open-file-permissions).
+
+### Features and Enhancements
+
+ * 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
+ * 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
+ * 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)
 
 ### Bugfixes
 
+ * 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)
+ * 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)
+ * 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)
+ * 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)
+ * 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)
+ * 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
+ * 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
+ * 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)
+ * 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
+ * 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
+ * 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
+ * 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
+ * 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)
 
 ## Changelog
 
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9)
+ * [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9)
+ * [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9)
diff --git a/docs/en/04_Changelogs/rc/3.1.9-rc1.md b/docs/en/04_Changelogs/rc/3.1.9-rc1.md
new file mode 100644
index 000000000..1ecfeaeaf
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.1.9-rc1.md
@@ -0,0 +1,29 @@
+# 3.1.9-rc1
+
+### Features and Enhancements
+
+ * 2014-11-21 [31b5a9d](https://github.com/silverstripe/sapphire/commit/31b5a9d) Allow CMS re-authentication to be completely disabled if necessary (Damian Mooyman)
+ * 2014-12-10 [fba6880](https://github.com/silverstripe/sapphire/commit/fba6880) Additional extension points for Tiny MCE editing, for when images are regenerated and manipulating the HTML prior to a save (Gordon Anderson)
+ * 2014-11-13 [d7eb275](https://github.com/silverstripe/sapphire/commit/d7eb275) Make the record count in GridFieldFooter optional (Jeremy Shipman)
+
+### Bugfixes
+
+ * 2015-01-08 [a02adf6](https://github.com/silverstripe/sapphire/commit/a02adf6) Uneccessary class replacement (Michael Strong)
+ * 2014-12-18 [5637431](https://github.com/silverstripe/sapphire/commit/5637431) The method 'name' does not exist on 'Form' (Elvinas L)
+ * 2014-12-15 [6582162](https://github.com/silverstripe/sapphire/commit/6582162) How to folder on forms (Cam Findlay)
+ * 2014-12-11 [b5c361a](https://github.com/silverstripe/sapphire/commit/b5c361a) GD - check file exists before getimagesize (Will Morgan)
+ * 2014-12-09 [6bdd30c](https://github.com/silverstripe/sapphire/commit/6bdd30c) Fix gridfield storing duplicate data in session (Damian Mooyman)
+ * 2014-12-09 [3ac705f](https://github.com/silverstripe/sapphire/commit/3ac705f) Feedback to name the fields section to "field types" to make it clearer what the section is about. (Cam Findlay)
+ * 2014-12-09 [e9fd03b](https://github.com/silverstripe/sapphire/commit/e9fd03b) use GFMD code blocks to fix code formatting consistency. (Cam Findlay)
+ * 2014-11-25 [01989aa](https://github.com/silverstripe/sapphire/commit/01989aa) Manifest flushing (Jonathon Menz)
+ * 2014-11-24 [7384d01](https://github.com/silverstripe/sapphire/commit/7384d01) DataDifferencer was trying to compare fields, even if the fields didn't exist causing an error. (micmania1)
+ * 2014-11-18 [2bdfd65](https://github.com/silverstripe/sapphire/commit/2bdfd65) Security::findAnAdministrator doesn't always find an admin (Damian Mooyman)
+ * 2014-11-10 [85b4ba1](https://github.com/silverstripe/sapphire/commit/85b4ba1) DataObject::db() doesn't respect overloaded db types (fixes #3620) (Loz Calver)
+ * 2014-10-03 [9d888d5](https://github.com/silverstripe/silverstripe-cms/commit/9d888d5) Fixed SearchForm not calling getTemplate() in forTemplate() (Stephen McMahon)
+ * 2014-09-02 [1f4f5e6](https://github.com/silverstripe/sapphire/commit/1f4f5e6) Fix versioned Versioned is not writing Version to _version tables for subclasses of Version dataobjects which have their own DB fields - Fix disjoint of ID / RecordID (which should be the same) - Fix calculation of new record version - Fix use of empty vs !isset to check for existing version (Damian Mooyman)
+
+## Changelog
+
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.1.9-rc1)
+ * [cms](https://github.com/silverstripe/silverstripe-cms/releases/tag/3.1.9-rc1)
+ * [installer](https://github.com/silverstripe/silverstripe-installer/releases/tag/3.1.9-rc1)