diff --git a/NEWS b/NEWS
index ef5568a0f..3404afa03 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+strongswan-4.1.1
+----------------
+
+- Server side cookie support. If to may IKE_SAs are in CONNECTING state,
+  cookies are enabled and protect against DoS attacks with faked source
+  addresses. Number of IKE_SAs in CONNECTING state is also limited per
+  peer address to avoid resource exhaustion. IKE_SA_INIT messages are
+  compared to properly detect retransmissions and incoming retransmits are
+  detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).
+
 strongswan-4.1.0
 ----------------
 
diff --git a/TODO b/TODO
index c8977ee01..91363e38b 100644
--- a/TODO
+++ b/TODO
@@ -15,10 +15,11 @@ Roadmap 2007
       !
  Apr  !   - PRF in CHILD_SA rekeying
       !   - configuration managament refactoring
-      !   - interface in charon for the new SMP management interface
+      !   - credentials backend redesign
+      !   - interface in charon for the XML based SMP management interface
       !   - reimplement IKEv2 p2p NATT support
       !
- May  !   - XML configuration interface
+ May  !   - SMP configuration client
       !
  Jun  !   - start with IKEv1 migration strategy
       !
@@ -47,11 +48,6 @@ Build system
 - configure flag which allows to ommit vendor id in pluto
 - reduce printf handlers count to 10, as uClibc does not support more
 
-Denail of service
------------------
-- Cookie support on server
-- thread exhaustion (multiple messages to a single IKE_SA)
-
 Certificate support
 -------------------
 - New trustchain mechanism?
@@ -70,3 +66,4 @@ Misc
 ----
 - PFS support for creating/rekeying CHILD_SAs
 - Address pool/backend for virtual IP assignement
+- fix iterator->insert_before/after