diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 4b7aaf2dd5264596e967260af2219533f63f3e0f..d442629ab30a09b291398eb72709f16c1e345dea 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,9 +1,11 @@
 // $Id$
 
-Drupal 5.20-dev xxxx-xx-xx
+Drupal 5.20, 2009-09-16
 -----------------------
-- The 'access' element for hook_menu() now interprets Drupal 6 style values,
-  like array('access content').
+- Avoid security problems resulting from writing Drupal 6-style menu
+  declarations.
+- Fixed security issues (session fixation), see SA-CORE-2009-008.
+- Fixed a variety of small bugs.
 
 Drupal 5.19, 2009-07-01
 -----------------------
diff --git a/modules/system/system.module b/modules/system/system.module
index 7313a6a3850b3e3127efa97a19ca0a4782c124d4..8f814f29c42c0bd4e4c87915876b87a221b0d368 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.20-dev');
+define('VERSION', '5.20');
 
 /**
  * Implementation of hook_help().
diff --git a/modules/user/user.module b/modules/user/user.module
index 1e689a534f3c7d4b5da7ed3297d891d47c44edf6..c5cadd6592749c7584dced023c6917f6e561ca03 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1149,6 +1149,8 @@ function user_pass_reset($uid, $timestamp, $hashed_pass, $action = NULL) {
           $user = $account;
           // And proceed with normal login, going to user page.
           $edit = array();
+          // Regenerate the session ID to prevent against session fixation attacks.
+          sess_regenerate();
           user_module_invoke('login', $edit, $user);
           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));
           drupal_goto('user/'. $user->uid .'/edit');