diff --git a/VERSION b/VERSION
index ab8d21c0ecab..89c881bc9cb9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.12.4-dev
+1.12.4
diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
index d7e659c20a32..1ac4a5c91b54 100644
--- a/docs/root/intro/version_history.rst
+++ b/docs/root/intro/version_history.rst
@@ -1,9 +1,10 @@
 Version history
 ---------------
 
-1.12.4 (Pending)
-================
+1.12.4 (June 8, 2020)
+=====================
 * http: added :ref:`headers_with_underscores_action setting <envoy_api_field_core.HttpProtocolOptions.headers_with_underscores_action>` to control how client requests with header names containing underscore characters are handled. The options are to allow such headers, reject request or drop headers. The default is to allow headers, preserving existing behavior.
+* http: fixed CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters.
 
 1.12.3 (March 3, 2020)
 ======================