diff --git a/ChangeLog b/ChangeLog
index 0062504c11..695cff78b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,171 @@
+Changes in version 0.3.4.9 - 2018-11-02
+  Tor 0.3.4.9 is the second stable release in its series; it backports
+  numerous fixes, including a fix for a bandwidth management bug that
+  was causing memory exhaustion on relays.  Anyone running an earlier
+  version of Tor 0.3.4.9 should upgrade.
+
+  o Major bugfixes (compilation, backport from 0.3.5.3-alpha):
+    - Fix compilation on ARM (and other less-used CPUs) when compiling
+      with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
+
+  o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
+    - Make sure Tor bootstraps and works properly if only the
+      ControlPort is set. Prior to this fix, Tor would only bootstrap
+      when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
+      port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
+
+  o Major bugfixes (relay, backport from 0.3.5.3-alpha):
+    - When our write bandwidth limit is exhausted, stop writing on the
+      connection. Previously, we had a typo in the code that would make
+      us stop reading instead, leading to relay connections being stuck
+      indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
+      on 0.3.4.1-alpha.
+
+  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
+    - Fix a use-after-free error that could be caused by passing Tor an
+      impossible set of options that would fail during options_act().
+      Fixes bug 27708; bugfix on 0.3.3.1-alpha.
+
+  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
+    - Don't do a distcheck with --disable-module-dirauth in Travis.
+      Implements ticket 27252.
+    - Only run one online rust build in Travis, to reduce network
+      errors. Skip offline rust builds on Travis for Linux gcc, because
+      they're redundant. Implements ticket 27252.
+    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
+      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
+      Linux with default settings, because all the non-default builds
+      use gcc on Linux. Implements ticket 27252.
+
+  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
+    - Use the Travis Homebrew addon to install packages on macOS during
+      Travis CI. The package list is the same, but the Homebrew addon
+      does not do a `brew update` by default. Implements ticket 27738.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
+      Country database. Closes ticket 27991.
+
+  o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
+    - Fix an integer overflow bug in our optimized 32-bit millisecond-
+      difference algorithm for 32-bit Apple platforms. Previously, it
+      would overflow when calculating the difference between two times
+      more than 47 days apart. Fixes part of bug 27139; bugfix
+      on 0.3.4.1-alpha.
+    - Improve the precision of our 32-bit millisecond difference
+      algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
+      bugfix on 0.3.4.1-alpha.
+    - Relax the tolerance on the mainloop/update_time_jumps test when
+      running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
+      on 0.3.4.1-alpha.
+
+  o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
+    - Avoid undefined behavior in an end-of-string check when parsing the
+      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
+      0.2.0.3-alpha.
+
+  o Minor bugfixes (CI, appveyor):
+    - Only install the necessary mingw packages during our appveyor
+      builds. This change makes the build a little faster, and prevents a
+      conflict with a preinstalled mingw openssl that appveyor now ships.
+      Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
+
+  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
+    - Rewrite our assertion macros so that they no longer suppress the
+      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
+
+  o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
+    - Stop reinstalling identical packages in our Windows CI. Fixes bug
+      27464; bugfix on 0.3.4.1-alpha.
+
+  o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
+    - Log additional info when we get a relay that shares an ed25519
+      ID with a different relay, instead making a BUG() warning.
+      Fixes bug 27800; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
+    - Avoid a double-close when shutting down a stalled directory
+      connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
+
+  o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
+    - Fix a bug warning when closing an HTTP tunnel connection due to an
+      HTTP request we couldn't handle. Fixes bug 26470; bugfix
+      on 0.3.2.1-alpha.
+
+  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
+    - Ensure circuitmux queues are empty before scheduling or sending
+      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
+    - When the onion service directory can't be created or has the wrong
+      permissions, do not log a stack trace. Fixes bug 27335; bugfix
+      on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
+    - Close all SOCKS request (for the same .onion) if the newly fetched
+      descriptor is unusable. Before that, we would close only the first
+      one leaving the other hanging and let to time out by themselves.
+      Fixes bug 27410; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
+    - When selecting a v3 rendezvous point, don't only look at the
+      protover, but also check whether the curve25519 onion key is
+      present. This way we avoid picking a relay that supports the v3
+      rendezvous but for which we don't have the microdescriptor. Fixes
+      bug 27797; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
+    - Reject protocol names containing bytes other than alphanumeric
+      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
+      on 0.2.9.4-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.1-alpha)
+    - Compute protover votes correctly in the rust version of the
+      protover code. Previously, the protover rewrite in 24031 allowed
+      repeated votes from the same voter for the same protocol version
+      to be counted multiple times in protover_compute_vote(). Fixes bug
+      27649; bugfix on 0.3.3.5-rc.
+    - Reject protover names that contain invalid characters. Fixes bug
+      27687; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
+    - protover_all_supported() would attempt to allocate up to 16GB on
+      some inputs, leading to a potential memory DoS. Fixes bug 27206;
+      bugfix on 0.3.3.5-rc.
+
+  o Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
+    - Fix a potential null dereference in protover_all_supported().
+      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
+    - Return a string that can be safely freed by C code, not one created by
+      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
+      on 0.3.3.1-alpha.
+
+  o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
+    - Fix an API mismatch in the rust implementation of
+      protover_compute_vote(). This bug could have caused crashes on any
+      directory authorities running Tor with Rust (which we do not yet
+      recommend). Fixes bug 27741; bugfix on 0.3.3.6.
+
+  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
+    - If a unit test running in a subprocess exits abnormally or with a
+      nonzero status code, treat the test as having failed, even if the
+      test reported success. Without this fix, memory leaks don't cause
+      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
+      bugfix on 0.2.2.4-alpha.
+
+  o Minor bugfixes (testing, backport from 0.3.5.3-alpha):
+    - Make the hs_service tests use the same time source when creating
+      the introduction point and when testing it. Now tests work better
+      on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
+      on 0.3.2.1-alpha.
+
+  o Minor bugfixes (testin, to appear in 0.3.5.4-alpha):
+    - Treat backtrace test failures as expected on BSD-derived systems
+      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
+      (FreeBSD failures have been treated as expected since 18204 in 0.2.8.)
+      Fixes bug 27948; bugfix on 0.2.5.2-alpha.
+
+
 Changes in version 0.3.4.8 - 2018-09-10
   Tor 0.3.4.8 is the first stable release in its series; it includes
   compilation and portability fixes.
diff --git a/changes/bug25505 b/changes/bug25505
deleted file mode 100644
index 101c7d5246..0000000000
--- a/changes/bug25505
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (netflow padding):
-    - Ensure circuitmux queues are empty before scheduling or sending padding.
-      Fixes bug 25505; bugfix on 0.3.1.1-alpha.
diff --git a/changes/bug26470 b/changes/bug26470
deleted file mode 100644
index 854ec7ea72..0000000000
--- a/changes/bug26470
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (HTTP tunnel):
-    - Fix a bug warning when closing an HTTP tunnel connection due to
-      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
-      0.3.2.1-alpha.
diff --git a/changes/bug26896 b/changes/bug26896
deleted file mode 100644
index 9762dc7fac..0000000000
--- a/changes/bug26896
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (directory connection shutdown):
-    - Avoid a double-close when shutting down a stalled directory connection.
-      Fixes bug 26896; bugfix on 0.3.4.1-alpha.
diff --git a/changes/bug27139 b/changes/bug27139
deleted file mode 100644
index 0d1e3b4329..0000000000
--- a/changes/bug27139
+++ /dev/null
@@ -1,14 +0,0 @@
-  o Minor bugfixes (32-bit OSX and iOS, timing):
-    - Fix an integer overflow bug in our optimized 32-bit millisecond-
-      difference algorithm for 32-bit Apple platforms. Previously, it
-      would overflow when calculating the difference between two times
-      more than 47 days apart.  Fixes part of bug 27139; bugfix on
-      0.3.4.1-alpha.
-    - Improve the precision of our 32-bit millisecond difference
-      algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
-      bugfix on 0.3.4.1-alpha.
-    - Relax the tolerance on the mainloop/update_time_jumps test
-      when running on 32-bit Apple platforms. Fixes part of bug 27139;
-      bugfix on 0.3.4.1-alpha.
-
-
diff --git a/changes/bug27206 b/changes/bug27206
deleted file mode 100644
index c0fbbed702..0000000000
--- a/changes/bug27206
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - protover_all_supported() would attempt to allocate up to 16GB on some
-      inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on
-      0.3.3.5-rc.
diff --git a/changes/bug27316 b/changes/bug27316
deleted file mode 100644
index cec9348912..0000000000
--- a/changes/bug27316
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (protover):
-    - Reject protocol names containing bytes other than alphanumeric characters
-      and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.
diff --git a/changes/bug27335 b/changes/bug27335
deleted file mode 100644
index dcc55a945a..0000000000
--- a/changes/bug27335
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - In case the hidden service directory can't be created or has wrong
-      permissions, do not BUG() on it which lead to a non fatal stacktrace.
-      Fixes bug 27335; bugfix on 0.3.2.1.
diff --git a/changes/bug27464 b/changes/bug27464
deleted file mode 100644
index 9dedd06f41..0000000000
--- a/changes/bug27464
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (continuous integration):
-    - Stop reinstalling identical packages in our Windows CI.
-      Fixes bug 27464; bugfix on 0.3.4.1-alpha.
diff --git a/changes/bug27649 b/changes/bug27649
deleted file mode 100644
index 55bfc3a842..0000000000
--- a/changes/bug27649
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - The protover rewrite in 24031 allowed repeated votes from the same
-      voter for the same protocol version to be counted multiple times in
-      protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc.
diff --git a/changes/bug27658 b/changes/bug27658
deleted file mode 100644
index 8cc0aa4714..0000000000
--- a/changes/bug27658
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (testing):
-    - If a unit test running in a subprocess exits abnormally or with a
-      nonzero status code, treat the test as having failed, even if
-      the test reported success. Without this fix, memory leaks don't cause
-      cause the tests to fail, even with LeakSanitizer. Fixes bug 27658;
-      bugfix on 0.2.2.4-alpha.
diff --git a/changes/bug27687 b/changes/bug27687
deleted file mode 100644
index 8b7903b63e..0000000000
--- a/changes/bug27687
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - protover parsed and accepted unknown protocol names containing invalid
-      characters outside the range [A-Za-z0-9-]. Fixes bug 27687; bugfix on
-      0.3.3.1-alpha.
diff --git a/changes/bug27708 b/changes/bug27708
deleted file mode 100644
index d283b19515..0000000000
--- a/changes/bug27708
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Major bugfixes (restart-in-process):
-    - Fix a use-after-free error that could be caused by passing Tor an
-      impossible set of options that would fail during options_act().
-      Fixes bug 27708; bugfix on 0.3.3.1-alpha.
diff --git a/changes/bug27709 b/changes/bug27709
deleted file mode 100644
index 49e87cbb0a..0000000000
--- a/changes/bug27709
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (code safety):
-    - Rewrite our assertion macros so that they no longer suppress
-      the compiler's -Wparentheses warnings on their inputs. Fixes bug 27709;
-      bugfix on 0.0.6.
diff --git a/changes/bug27740 b/changes/bug27740
deleted file mode 100644
index 76a17b7dda..0000000000
--- a/changes/bug27740
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - Return a string that can be safely freed by C code, not one created by
-      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
-      on 0.3.3.1-alpha.
diff --git a/changes/bug27741 b/changes/bug27741
deleted file mode 100644
index 531e264b63..0000000000
--- a/changes/bug27741
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (rust, directory authority):
-    - Fix an API mismatch in the rust implementation of
-      protover_compute_vote(). This bug could have caused crashes on any
-      directory authorities running Tor with Rust (which we do not yet
-      recommend). Fixes bug 27741; bugfix on 0.3.3.6.
diff --git a/changes/bug27781 b/changes/bug27781
deleted file mode 100644
index 44d838af8a..0000000000
--- a/changes/bug27781
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Major bugfixes (compilation):
-    - Fix compilation on arm (and other less-used CPUs)
-      when compiling with OpenSSL before 1.1. Fixes bug 27781;
-      bugfix on 0.3.4.1-alpha.
diff --git a/changes/bug27800 b/changes/bug27800
deleted file mode 100644
index 63d5dbc681..0000000000
--- a/changes/bug27800
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Log additional info when we get a relay that shares an ed25519
-      ID with a different relay, instead making a BUG() warning.
-      Fixes bug 27800; bugfix on 0.3.2.1-alpha.
diff --git a/changes/bug27804 b/changes/bug27804
deleted file mode 100644
index fa7fec0bc5..0000000000
--- a/changes/bug27804
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Fix a potential null dereference in protover_all_supported().
-      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
diff --git a/changes/bug27948 b/changes/bug27948
deleted file mode 100644
index fea16f3d0f..0000000000
--- a/changes/bug27948
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (tests):
-    - Treat backtrace test failures as expected on BSD-derived systems
-      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
-      (FreeBSD failures have been treated as expected since 18204 in 0.2.8.)
-      Fixes bug 27948; bugfix on 0.2.5.2-alpha.
-
diff --git a/changes/bug28202 b/changes/bug28202
deleted file mode 100644
index 182daac4f1..0000000000
--- a/changes/bug28202
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (C correctness):
-    - Avoid undefined behavior in an end-of-string check when parsing the
-      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
-      0.2.0.3-alpha.
diff --git a/changes/geoip-2018-09-06 b/changes/geoip-2018-09-06
deleted file mode 100644
index 851ec46e25..0000000000
--- a/changes/geoip-2018-09-06
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2
-      Country database. Closes ticket 27631.
-
diff --git a/changes/geoip-2018-10-09 b/changes/geoip-2018-10-09
deleted file mode 100644
index 9b8e621852..0000000000
--- a/changes/geoip-2018-10-09
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
-      Country database. Closes ticket 27991.
-
diff --git a/changes/ticket27252 b/changes/ticket27252
deleted file mode 100644
index 410ddef8c0..0000000000
--- a/changes/ticket27252
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor features (continuous integration):
-    - Skip gcc on OSX in Travis CI, it's rarely used.
-      Skip a duplicate hardening-off build in Travis on Tor 0.2.9.
-      Skip gcc on Linux with default settings, because all the non-default
-      builds use gcc on Linux.
-      Implements ticket 27252.
diff --git a/changes/ticket27252-032 b/changes/ticket27252-032
deleted file mode 100644
index 4752aedcf6..0000000000
--- a/changes/ticket27252-032
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor features (continuous integration):
-    - Only run one online rust build in Travis, to reduce network errors.
-      Skip offline rust builds on Travis for Linux gcc, because they're
-      redundant.
-      Implements ticket 27252.
diff --git a/changes/ticket27252-034 b/changes/ticket27252-034
deleted file mode 100644
index 620ad83efe..0000000000
--- a/changes/ticket27252-034
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor features (continuous integration):
-    - Don't do a distcheck with --disable-module-dirauth in Travis.
-      Implements ticket 27252.
diff --git a/changes/ticket27410 b/changes/ticket27410
deleted file mode 100644
index a21fdde58e..0000000000
--- a/changes/ticket27410
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - Close all SOCKS request (for the same .onion) if the newly fetched
-      descriptor is unusable. Before that, we would close only the first one
-      leaving the other hanging and let to time out by themselves. Fixes bug
-      27410; bugfix on 0.3.2.1-alpha.
diff --git a/changes/ticket27738 b/changes/ticket27738
deleted file mode 100644
index f23bfb019e..0000000000
--- a/changes/ticket27738
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (continuous integration):
-    - Use the Travis Homebrew addon to install packages on macOS. The package
-      list is the same, but the Homebrew addon does not do a `brew update` by
-      default. Implements ticket 27738.
diff --git a/changes/ticket27797 b/changes/ticket27797
deleted file mode 100644
index f07e35f84c..0000000000
--- a/changes/ticket27797
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (node, hidden service v3):
-    - When selecting a v3 rendezvous point, not only look at the protover but
-      also if the curve25519 onion key is present. That way we avoid picking a
-      node that supports the v3 rendezvous but for which we don't have the
-      descriptor yet for the key. Fixes bug 27797; bugfix on 0.3.2.1-alpha.
diff --git a/changes/ticket27810 b/changes/ticket27810
deleted file mode 100644
index 119f781cb9..0000000000
--- a/changes/ticket27810
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (test, hidden service v3):
-    - Make the the hs_service tests uses the same time source when creating
-      the introduction point and testing it. This helps make test work on very
-      slow system like ARM or Travis. Fixes bug 27810; bugfix on
-      0.3.2.1-alpha.
diff --git a/changes/ticket27849 b/changes/ticket27849
deleted file mode 100644
index c2babeffc7..0000000000
--- a/changes/ticket27849
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Major bugfixes (mainloop, bootstrap):
-    - Make sure Tor bootstraps and works properly if only the ControlPort is
-      set. Prior to this fix, Tor would only bootstrap with at least a client
-      port being set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug
-      27849; bugfix on 0.3.4.1-alpha.
diff --git a/changes/ticket28089 b/changes/ticket28089
deleted file mode 100644
index a900ec18f5..0000000000
--- a/changes/ticket28089
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Major bugfixes (relay):
-    - When our write bandwidth limit is exhausted, stop writing on the
-      connection. Previously, we had a typo in the code that would make us stop
-      reading leading to relay connections being stuck indefinitely. Fixes bug
-      28089; bugfix on 0.3.4.1-alpha.
-
diff --git a/changes/tickets_27765_27943 b/changes/tickets_27765_27943
deleted file mode 100644
index e8468545f1..0000000000
--- a/changes/tickets_27765_27943
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (CI, appveyor):
-    - Only install the necessary mingw packages during our appveyor
-      builds. This change makes the build a little faster, and prevents a
-      conflict with a preinstalled mingw openssl that appveyor now ships.
-      Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.