diff --git a/VERSION.txt b/VERSION.txt
index 0a2a0d5c5394..3492b09b4f67 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.31.2-dev
+1.31.2
diff --git a/changelogs/1.28.7.yaml b/changelogs/1.28.7.yaml
new file mode 100644
index 000000000000..da5d914b7bcc
--- /dev/null
+++ b/changelogs/1.28.7.yaml
@@ -0,0 +1,22 @@
+date: September 19, 2024
+
+behavior_changes:
+- area: http
+  change: |
+    The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
+    If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
+    headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
+    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
+    See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
+    setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
+
+minor_behavior_changes:
+- area: access_log
+  change: |
+    Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
+    flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
+
+bug_fixes:
+- area: http_async_client
+  change: |
+    Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
diff --git a/changelogs/1.29.9.yaml b/changelogs/1.29.9.yaml
new file mode 100644
index 000000000000..dbd5efcf2390
--- /dev/null
+++ b/changelogs/1.29.9.yaml
@@ -0,0 +1,27 @@
+date: September 19, 2024
+
+behavior_changes:
+- area: http
+  change: |
+    The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
+    If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
+    headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
+    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
+    See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
+    setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
+
+minor_behavior_changes:
+- area: access_log
+  change: |
+    Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
+    flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
+
+bug_fixes:
+- area: jwt
+  change: |
+    Fixed a bug where using ``clear_route_cache`` with remote JWKs works
+    incorrectly and may cause a crash when the modified request does not match
+    any route.
+- area: http_async_client
+  change: |
+    Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
diff --git a/changelogs/1.30.6.yaml b/changelogs/1.30.6.yaml
new file mode 100644
index 000000000000..dbd5efcf2390
--- /dev/null
+++ b/changelogs/1.30.6.yaml
@@ -0,0 +1,27 @@
+date: September 19, 2024
+
+behavior_changes:
+- area: http
+  change: |
+    The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
+    If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
+    headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
+    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
+    See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
+    setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
+
+minor_behavior_changes:
+- area: access_log
+  change: |
+    Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
+    flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
+
+bug_fixes:
+- area: jwt
+  change: |
+    Fixed a bug where using ``clear_route_cache`` with remote JWKs works
+    incorrectly and may cause a crash when the modified request does not match
+    any route.
+- area: http_async_client
+  change: |
+    Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
index 822249c90342..b188a39d5c24 100644
--- a/changelogs/current.yaml
+++ b/changelogs/current.yaml
@@ -1,7 +1,6 @@
-date: Pending
+date: September 19, 2024
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: http
   change: |
     The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
@@ -16,14 +15,12 @@ behavior_changes:
     requests and responses to address to address stability concerns. This behavior can be reverted by setting the feature to ``true``.
 
 minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
 - area: access_log
   change: |
     Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
     flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: jwt
   change: |
     Fixed a bug where using ``clear_route_cache`` with remote JWKs works
@@ -32,10 +29,3 @@ bug_fixes:
 - area: http_async_client
   change: |
     Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:
diff --git a/docs/inventories/v1.28/objects.inv b/docs/inventories/v1.28/objects.inv
index 2fd3b18a0dfb..fd7a066d88dd 100644
Binary files a/docs/inventories/v1.28/objects.inv and b/docs/inventories/v1.28/objects.inv differ
diff --git a/docs/inventories/v1.29/objects.inv b/docs/inventories/v1.29/objects.inv
index 11b1c785f665..d6586b52fa2a 100644
Binary files a/docs/inventories/v1.29/objects.inv and b/docs/inventories/v1.29/objects.inv differ
diff --git a/docs/inventories/v1.30/objects.inv b/docs/inventories/v1.30/objects.inv
index 2a52602afc3a..f961430394b9 100644
Binary files a/docs/inventories/v1.30/objects.inv and b/docs/inventories/v1.30/objects.inv differ
diff --git a/docs/inventories/v1.31/objects.inv b/docs/inventories/v1.31/objects.inv
index a75bbca49371..144ce7dbd812 100644
Binary files a/docs/inventories/v1.31/objects.inv and b/docs/inventories/v1.31/objects.inv differ
diff --git a/docs/versions.yaml b/docs/versions.yaml
index 91046c7a39d4..9362cfb44e23 100644
--- a/docs/versions.yaml
+++ b/docs/versions.yaml
@@ -21,7 +21,7 @@
 "1.25": 1.25.11
 "1.26": 1.26.8
 "1.27": 1.27.7
-"1.28": 1.28.6
-"1.29": 1.29.8
-"1.30": 1.30.5
-"1.31": 1.31.0
+"1.28": 1.28.7
+"1.29": 1.29.9
+"1.30": 1.30.6
+"1.31": 1.31.1