diff --git a/CHANGELOG b/CHANGELOG
index 6b823c3aa..138ebe5c5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,132 @@
 ChangeLog :
 ===========
 
+2025/09/05 : 3.3-dev8
+    - BUG/MEDIUM: mux-h2: fix crash on idle-ping due to unwanted ABORT_NOW
+    - BUG/MINOR: quic-be: missing Initial packet number space discarding
+    - BUG/MEDIUM: quic-be: crash after backend CID allocation failures
+    - BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind
+    - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval
+    - MINOR: dns: dns_connect_nameserver: fix fd leak at error path
+    - BUG/MEDIUM: quic: reset padding when building GSO datagrams
+    - BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested
+    - BUG/MAJOR: quic: fix INITIAL padding with probing packet only
+    - BUG/MINOR: quic: don't coalesce probing and ACK packet of same type
+    - MINOR: quic: centralize padding for HP sampling on packet building
+    - MINOR: http_ana: fix typo in http_res_get_intercept_rule
+    - BUG/MEDIUM: http_ana: handle yield for "stats http-request" evaluation
+    - MINOR: applet: Rely on applet flag to detect the new api
+    - MINOR: applet: Add function to test applet flags from the appctx
+    - MINOR: applet: Add a flag to know an applet is using HTX buffers
+    - MINOR: applet: Make some applet functions HTX aware
+    - MEDIUM: applet: Set .rcv_buf and .snd_buf functions on default ones if not set
+    - BUG/MEDIUM: mux-spop: Reject connection attempts from a non-spop frontend
+    - REGTESTS: jwt: create dynamically "cert.ecdsa.pem"
+    - BUG/MEDIUM: spoe: Improve error detection in SPOE applet on client abort
+    - MINOR: haproxy: abort config parsing on fatal errors for post parsing hooks
+    - MEDIUM: server: split srv_init() in srv_preinit() + srv_postinit()
+    - MINOR: proxy: handle shared listener counters preparation from proxy_postcheck()
+    - DOC: configuration: reword 'generate-certificates'
+    - BUG/MEDIUM: quic-be: avoid crashes when releasing Initial pktns
+    - BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets
+    - MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used
+    - MEDIUM: ssl: convert diag to warning for strict-sni + default-crt
+    - DOC: configuration: clarify 'default-crt' and implicit default certificates
+    - MINOR: quic: remove ->offset qf_crypto struct field
+    - BUG/MINOR: mux-quic: trace with non initialized qcc
+    - BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found
+    - BUG/MEDIUM: mworker: fix startup and reload on macOS
+    - BUG/MINOR: connection: rearrange union list members
+    - BUG/MINOR: connection: remove extra session_unown_conn() on reverse
+    - MINOR: cli: display failure reason on wait command
+    - BUG/MINOR: server: decrement session idle_conns on del server
+    - BUG/MINOR: mux-quic: do not access conn after idle list insert
+    - MINOR: session: document explicitely that session_add_conn() is safe
+    - MINOR: session: uninline functions related to BE conns management
+    - MINOR: session: refactor alloc/lookup of sess_conns elements
+    - MEDIUM: session: protect sess conns list by idle_conns_lock
+    - MINOR: server: shard by thread sess_conns member
+    - MEDIUM: server: close new idle conns if server in maintenance
+    - MEDIUM: session: close new idle conns if server in maintenance
+    - MINOR: server: cleanup idle conns for server in maint already stopped
+    - MINOR: muxes: enforce thread-safety for private idle conns
+    - MEDIUM: conn/muxes/ssl: reinsert BE priv conn into sess on IO completion
+    - MEDIUM: conn/muxes/ssl: remove BE priv idle conn from sess on IO
+    - MEDIUM: mux-quic: enforce thread-safety of backend idle conns
+    - MAJOR: server: implement purging of private idle connections
+    - MEDIUM: session: account on server idle conns attached to session
+    - MAJOR: server: do not remove idle conns in del server
+    - BUILD: mworker: fix ignoring return value of ‘read’
+    - DOC: unreliable sockpair@ on macOS
+    - MINOR: muxes: adjust takeover with buf_wait interaction
+    - OPTIM: backend: set release on takeover for strict maxconn
+    - DOC: configuration: confuse "strict-mode" with "zero-warning"
+    - MINOR: doc: add missing statistics column
+    - MINOR: doc: add missing statistics column
+    - MINOR: stats: display new curr_sess_idle_conns server counter
+    - MINOR: proxy: extend "show servers conn" output
+    - MEDIUM: proxy: Reject some header names for 'http-send-name-header' directive
+    - BUG/BUILD: stats: fix build due to missing stat enum definition
+    - DOC: proxy-protocol: Make example for PP2_SUBTYPE_SSL_SIG_ALG accurate
+    - CLEANUP: quic: remove a useless CRYPTO frame variable assignment
+    - BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete()
+    - BUG/MAJOR: mux-quic: fix crash on reload during emission
+    - MINOR: conn/muxes/ssl: add ASSUME_NONNULL() prior to _srv_add_idle
+    - REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method
+    - MINOR: acl: Only allow one '-m' matching method
+    - MINOR: acl; Warn when matching method based on a suffix is overwritten
+    - BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server
+    - BUG/MINOR: server: Duplicate healthcheck's sni inherited from default server
+    - BUG/MINOR: acl: Properly detect overwritten matching method
+    - BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url()
+    - BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger()
+    - BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse()
+    - BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen()
+    - BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options()
+    - BUG/MINOR: tools: Add OOM check for malloc() in indent_msg()
+    - BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames
+    - MINOR: quic/flags: complete missing flags
+    - BUG/MINOR: quic: fix room check if padding requested
+    - BUG/MINOR: quic: fix padding issue on INITIAL retransmit
+    - BUG/MINOR: quic: pad Initial pkt with CONNECTION_CLOSE on client
+    - MEDIUM: quic: strengthen BUG_ON() for unpad Initial packet on client
+    - DOC: configuration: rework the jwt_verify keyword documentation
+    - BUG/MINOR: haproxy: be sure not to quit too early on soft stop
+    - BUILD: acl: silence a possible null deref warning in parse_acl_expr()
+    - MINOR: quic: Add more information about RX packets
+    - CI: fix syntax of Quic Interop pipelines
+    - MEDIUM: cfgparse: warn when using user/group when built statically
+    - BUG/MEDIUM: stick-tables: don't leave the expire loop with elements deleted
+    - BUG/MINOR: stick-tables: never leave used entries without expiration
+    - BUG/MEDIUM: peers: don't fail twice to grab the update lock
+    - MINOR: stick-tables: limit the number of visited nodes during expiration
+    - OPTIM: stick-tables: exit expiry faster when the update lock is held
+    - MINOR: counters: retrieve detailed errmsg upon failure with counters_{fe,be}_shared_prepare()
+    - MINOR: stats-file: introduce shm-stats-file directive
+    - MEDIUM: stats-file: processes share the same clock source from shm-stats-file
+    - MINOR: stats-file: add process slot management for shm stats file
+    - MEDIUM: stats-file/counters: store and preload stats counters as shm file objects
+    - DOC: config: document "shm-stats-file" directive
+    - OPTIM: stats-file: don't unnecessarily die hard on shm_stats_file_reuse_object()
+    - MINOR: compiler: add ALWAYS_PAD() macro
+    - BUILD: stats-file: fix aligment issues
+    - MINOR: stats-file: reserve some bytes in exported structs
+    - MEDIUM: stats-file: add some BUG_ON() guards to ensure exported structs are not changed by accident
+    - BUG/MINOR: check: ensure check-reuse is compatible with SSL
+    - BUG/MINOR: check: fix dst address when reusing a connection
+    - REGTESTS: explicitly use "balance roundrobin" where RR is needed
+    - MAJOR: backend: switch the default balancing algo to "random"
+    - BUG/MEDIUM: conn: fix UAF on connection after reversal on edge
+    - BUG/MINOR: connection: streamline conn detach from lists
+    - BUG/MEDIUM: quic-be: too early SSL_SESSION initialization
+    - BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list()
+    - MEDIUM: init: always warn when running as root without being asked to
+    - MINOR: sample: Add base2 converter
+    - MINOR: version: add -vq, -vqb, and -vqs flags for concise version output
+    - BUILD: trace: silence a bogus build warning at -Og
+    - MINOR: trace: accept trace spec right after "-dt" on the command line
+    - BUILD: makefile: bump the default minimum linux version to 4.17
+
 2025/08/20 : 3.3-dev7
     - MINOR: quic: duplicate GSO unsupp status from listener to conn
     - MINOR: quic: define QUIC_FL_CONN_IS_BACK flag
diff --git a/VERDATE b/VERDATE
index 3f54c37c2..4be54261a 100644
--- a/VERDATE
+++ b/VERDATE
@@ -1,2 +1,2 @@
 $Format:%ci$
-2025/08/20
+2025/09/05
diff --git a/VERSION b/VERSION
index 8d49693ce..4aca116b1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.3-dev7
+3.3-dev8
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 413d07cf4..507c2da03 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3,7 +3,7 @@
                           Configuration Manual
                          ----------------------
                               version 3.3
-                              2025/08/20
+                              2025/09/05
 
 
 This document covers the configuration language as implemented in the version