diff --git a/NEWS b/NEWS
index 2da4577e56..6d842c47b2 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,152 @@ releases.  For more information about the current release, please
 consult RELEASE-NOTES.  For more information about changes, please
 consult ChangeLog.
 
+Invenio v2.1.1 -- released 2015-09-01
+-------------------------------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
++ global
+
+  - Fixes potential XSS issues by changing main flash messages
+    template so that they are not displayed as safe HTML by default.
+
++ search
+
+  - Fixes potential XSS issues by changing search flash messages
+    template so that they are not displayed as safe HTML by default.
+
+Incompatible changes
+~~~~~~~~~~~~~~~~~~~~
+
++ access
+
+  - Removes configuration option CFG_SUPERADMINROLE_ID.
+  - Replaces all zero values with NULL in the table
+    accROLE_accACTION_accARGUMENT. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
+
+Improved features
+~~~~~~~~~~~~~~~~~
+
++ I18N
+
+  - Completes Italian translation.
+  - Completes French translation.
+
++ accounts
+
+  - Uses the localized site name when sending email to users. (#3273)
+
++ docker
+
+  - Improves Docker documentation notably related to how to work with
+    Invenio site overlays.
+
++ global
+
+  - Adds super(SmartDict, self).__init__ call in the __init__ method
+    in SmartDict to be able to make multiple inheritance in Record
+    class in invenio-records and be able to call both parent's
+    __init__.
+
++ jasmine
+
+  - Allows using variables from application config for building asset
+    bundles.
+
++ legacy
+
+  - Improves exception handling of integrity errors raised by MySQLdb
+    library.
+
+Bug fixes
+~~~~~~~~~
+
++ OAIHarvest
+
+  - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which
+    could fail when the resumptiontoken was empty.
+
++ access
+
+  - Sets superadmin role ID included in roles list returned from
+    acc_find_possible_roles to the correct, current value. (#3390)
+    (#3392)
+  - Fixes the authorization delete query to consider NULL value on
+    id_accARGUMENT authorization column. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
+  - Fixes property id_accARGUMENT of AccAuthorization model.
+
++ encoder
+
+  - Corrects the `compose_file` function call in `process_batch_job`
+    to produce `<directory>/content.<extension>` instead of
+    `<directory>/content.content;<extension>`. (#3354)
+
++ global
+
+  - Fixes the way configuration variables are parsed from ENV. It now
+    uses the same method we are using in `inveniomanage config set`.
+    This fixes the problem that `False` is not parsed correctly.
+
++ i18n
+
+  - Updates PO message catalogues and cleans them of duplicated
+    messages.  (#3455)
+
++ indexer
+
+  - Adds missing `get_nearest_terms_in_idxphrase_with_collection`
+    import. Fixes the name of field argument, and returns an empty
+    list when no model is passed.  (#3271)
+
++ installation
+
+  - Fixes database creation and upgrading by limiting Alembic version
+    to <0.7.
+
++ legacy
+
+  - Addresses an issue with calling six urllib.parse in a wrong way,
+    making users unable to harvest manually from the command line.
+
++ login
+
+  - Provides flash message to indicate that an email with password
+    recovery could not be sent. (#3309)
+
++ search
+
+  - Enforces query string to be unicode to overcome pypeg2 parsing
+    issues.  (#3296)
+  - Fixes admin interface for managing facets.  (#3333)
+
+Notes
+~~~~~
+
++ global
+
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: '(html_safe)', 'info(html_safe)',
+    'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)',
+    'success(html_safe)' instead of the standard ones (which are the
+    same without '(html safe)' at the end).
+  - Backports Flask-IIIF extension from original commit
+    213b6f1144734c9ecf425a1bc7b78e56ee5e4e3e. The extension is not
+    enabled by default in order to avoid feature addition to existing
+    minor release.
+
++ search
+
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: 'search-results-after(html_safe)',
+    'websearch-after-search-form(html_safe)' instead of the standard
+    ones (which are the same without '(html safe)' at the end).
+
 Invenio v2.1.0 -- released 2015-06-16
 -------------------------------------
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5b9f1d749a..b4ff6f3dd7 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -1,8 +1,8 @@
 ============================
- Invenio v2.1.0 is released
+ Invenio v2.1.1 is released
 ============================
 
-Invenio v2.1.0 was released on June 16, 2015.
+Invenio v2.1.1 was released on September 1, 2015.
 
 About
 -----
@@ -13,548 +13,157 @@ digital library or document repository on the web.
 Security fixes
 --------------
 
-+ docker:
++ global
 
-  - Disables debug mode when using standard Docker image. Uses docker
-    compose to set the variable instead.
+  - Fixes potential XSS issues by changing main flash messages
+    template so that they are not displayed as safe HTML by default.
 
-Incompatible changes
---------------------
-
-+ access:
-
-  - Removes proprietary authentication protocol for robotlogin.
-    (#2972)
-
-  - Removes external authentication engines. Please use
-    `invenio.modules.oauthclient` or Flask-SSO instead.  (#1083)
-
-+ assets:
-
-  - Removes support for runtime compiling of less files in debug mode
-    when option LESS_RUN_IN_DEBUG is enabled. (#2923)
-
-  - Requires update of bootstrap version of overlays.
-
-+ collections:
-
-  - Collection reclist is not populated anymore. Use collection phrase
-    index using query matcher based on record data, hence no second
-    order operator will work in collection query definition.
-
-+ communities:
-
-  - Removes 'communities' module that has been externalised to
-    separate Python package called 'invenio_communities'.  Migration
-    can be done by running `pip install invenio_communities` and
-    adding 'invenio_communites' to PACKAGES.  (#3008)
-
-+ formatter:
-
-  - Database table 'format' and 'formatname' have been dropped and
-    foreign keys in other tables has been changed to use lower case
-    version of output format base filename without extension name.
-
-  - Output formats are no longer modifiable from web interface as they
-    syntax has been changed from custom "bfo" to "yml". (#2662)
-
-  - Custom output formats from the database needs to by merged with
-    `bfo` files to new `yml` files. Please follow instructions when
-    running `python scripts/output_format_migration_kit.py`.
-
-+ global:
-
-  - Removes old URL handlers for `/search` and `/record`.  (#2958)
-
-  - Enables 'sql_mode' as 'ansi_quotes' for quotes compatibility for
-    MySQL.
-
-  - Drops all active sessions during upgrade. Might result in log
-    entries about non-restorable sessions.
-
-  - Drops all active sessions during upgrade. Might result in log
-    entries about non-restorable sessions.
-
-  - Moves `deprecated` decorator under `invenio/utils/deprecation.py`
-
-  - Changes url_for behaviour to return always a unicode string.
-    (#2967)
-
-  - Deprecates invenio.config hack for legacy code. (#3106)
-
-  - Deprecates use of invenio.utils.redis in favor of
-    invenio.ext.cache. (#2885)
-
-  - Removes support for custom remote debuggers. (#2945)
-
-+ installation:
-
-  - Upgrades minimum SQLAlchemy version to resolve Enum life cycle
-    problems on PostgreSQL. (#2351)
-
-+ legacy:
-
-  - Specifies deprecation warnings for all remaining legacy modules
-    according to the latest Invenio 3 road map.
-
-  - Specifies deprecation warnings for legacy modules bibcirculation,
-    bibdocfile, bibedit, elmsubmit, websearch_external_collections,
-    and websubmit.
-
-  - Enables 'sql_mode' as 'ansi_quotes' for quotes compatibility for
-    MySQL.
-
-  - Removes deprecated bibknowledge module.
-
-  - Removes deprecated `inveniocfg` command line interface.
-
-+ multimedia:
-
-  - Depreactes multimedia module.
-
-+ search:
-
-  - Removes support for legacy `perform_request_search` and
-    `search_unit` API functions.
-
-  - Removes support for specific Aleph idendifiers from search engine.
-
-New features
-------------
-
-+ access:
-
-  - Adds 'usedeposit' action which enables per user access
-    restrictions for different deposit types.  (#2724)
-
-  - Adds the ability to restrict access per object independently from
-    the parent.
-
-+ accounts:
-
-  - Adds support for allowing users to update their profile (nickname,
-    email, family name and given name).
-
-  - Adds support for users to re-request an verification email to be
-    sent.
-
-  - Adds new Passlib Flask extension to support configurable password
-    contexts in Invenio. (#2874)
-
-  - Adds panel blocks to settings templates.
-
-+ babel:
-
-  - Adds datetime localization template filters.
-
-+ collections:
-
-  - Adds new calculated field '_collections' to records from which the
-    'collection' index is created.  (#2638)
-
-+ deposit:
-
-  - Adds generic JinjaField and JinjaWidget to render templates as
-    form fields. This might be used in case longer explainations are
-    required for forms or to add pictures and other material that may
-    increase usability.
-
-+ global:
-
-  - Uses Flask-IIIF extension providing various image manipulation
-    capabilities.
-
-  - Adds possibility to refer to documents and legacy BibDocFiles via
-    special path such as `/api/multimedia/image/recid:{recid}` or
-    `/api/multimedia/image/recid:{recid}-{filename}` or
-    `/api/multimedia/image/uuid` with proper permission checking.
-    (#3080) (#3084)
-
-  - Adds general pagination macro for Flask-SQLAlchemy Pagination
-    object.  (PR #3006)
-
-  - Adds 'noscript' block to the page template to warn users with
-    disabled JavaScript on their browser.  (#1039)
-
-+ knowledge:
-
-  - Adds manager to knowledge with a command to load mappings into an
-    existing knowledge base from a file. E.g. `inveniomanage knowledge
-    load kb_name /path/to/file.kb`
-
-+ oauthclient:
-
-  - Adds support for CERN OAuth authentication.
-
-+ records:
-
-  - Adds support for granting author/viewer rights to records via tags
-    by specifying CFG_ACC_GRANT_AUTHOR_RIGHTS_TO_USERIDS_IN_TAGS
-    and/or CFG_ACC_GRANT_VIEWER_RIGHTS_TO_USERIDS_IN_TAGS. (#2873)
-
-+ script:
-
-  - Implements optional TLS encryption directly by Werkzeug. Adds many
-    configuration variables (`SERVER_TLS_*`) to control the behaviour.
-
-  - Adds support for PostgreSQL database initialization.
-
-+ search:
-
-  - Implements a mechanism that enhances user queries.  The enhancer
-    functions are specified in the 'SEARCH_QUERY_ENHANCERS' and later
-    they are applied to the query AST one after the other in the
-    search method.  (#2987)
-
-  - Adds new API for querying records.
-
-  - Adds new configuration option SEARCH_WALKERS which specifies
-    visitor classes that should be applied to a search query.
-
-  - Adds additional search units for the auxiliary author fields
-    `firstauthor`, `exactauthor`, `exactfirstauthor` and
-    `authorityauthor`.
-
-  - Adds missing operator handling of greater than (>) queries.
-
-  - Adds new configuration varibles `SEARCH_QUERY_PARSER` and
-    `SEARCH_QUERY_WALKERS` for query parser.
++ search
 
-  - Adds new API for record matching againts given query.
+  - Fixes potential XSS issues by changing search flash messages
+    template so that they are not displayed as safe HTML by default.
 
-+ template:
-
-  - Adds bootstrap scrollspy to the base template so it can be used by
-    all modules.
+Incompatible changes
+--------------------
 
-+ workflows:
++ access
 
-  - Adds new buttons to the Holding Pen details pages to delete and
-    restart current task.
+  - Removes configuration option CFG_SUPERADMINROLE_ID.
+  - Replaces all zero values with NULL in the table
+    accROLE_accACTION_accARGUMENT. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
 
 Improved features
 -----------------
 
-+ accounts:
-
-  - Improves legend alignment in login form.
-
-+ classifier:
-
-  - Improves the stripping of reference section when extracting text
-    from PDF by using a more appropriate refextract API.
-
-+ deposit:
-
-  - Corrects reflow on narrow screens and removes misused classes for
-    labels.
-
-  - Adds sticky navigation item to the deposit page to simplify
-    overview on larger forms. Works well with collapsed elements. On
-    narrow screens the navigation gets pushed in front of all other
-    form elements.
-
-  - Improves handling of large files in deposit.
-
-  - Fixes problem with misaligned checkbox and radio list items. They
-    are produced because wtforms does not wrap input elements into
-    labels as it is intended by the bootstrap framework.
-
-+ docker:
-
-  - Changes port number exposed by docker to non-reserved ones to
-    avoid conflicts with local installations. Webport is now 28080,
-    Redis 26379 and MySQL is 23306, which is a simple +20000 shift
-    from the standard ports.
-
-  - Integrates docker boot script into docker image.
-
-  - Changes docker boot script to use `exec`. This ensure signal
-    forwarding and reduces the overhead by one process. As a result
-    container shutdown is faster now.
-
-  - Changes manual master/slave configuration of Docker devboot script
-    to automatic solution using file locks.
-
-+ formatter:
-
-  - Improves support for translated output format names on search
-    results page.  (#2429)
-
-+ global:
++ I18N
 
-  - Supports database creation on PostgreSQL server.
+  - Completes Italian translation.
+  - Completes French translation.
 
-  - Implements session signing. This avoids cache request for invalid
-    sessions and reduces the DDoS attack surface.
++ accounts
 
-  - Removes IP address storage+checks. This avoids data privacy issues
-    and enables users with multiple connections (e.g. WIFI+LTE,
-    multiple WIFI connections on trains+stations) to stay signed in.
+  - Uses the localized site name when sending email to users. (#3273)
 
-  - Enhances `run_py_func` to be able to print both to some StringIO
-    and to the terminal at the same time. This is enabled with the
-    `passthrough` argument. It now also always returns stderr,
-    deprecating the `capture_stderr` argument. The return value is now
-    a namedtuple so that one can easily fetch the required value. Its
-    arguments to a more natural order (name of the executable first
-    and arguments afterwards.
++ docker
 
-  - Supports database creation on PostgreSQL server.
+  - Improves Docker documentation notably related to how to work with
+    Invenio site overlays.
 
-  - Improves compatibility of Text fields in PostrgeSQL by changing
-    Text in models and removes Invenio hacks on MySQL Index and
-    Primary Key creation because starting from SQLAlchemy>=1.0 it
-    arises an exception if the length is specified. (#3037)
++ global
 
-+ knowledge:
+  - Adds super(SmartDict, self).__init__ call in the __init__ method
+    in SmartDict to be able to make multiple inheritance in Record
+    class in invenio-records and be able to call both parent's
+    __init__.
 
-  - Relaxes constraints on dynamic search function that used to force
-    us to create temporary knowledge base. (#698)
++ jasmine
 
-+ legacy:
+  - Allows using variables from application config for building asset
+    bundles.
 
-  - Supports database creation on PostgreSQL server.
++ legacy
 
-+ oauthclient:
-
-  - Extra template block addition.
-
-+ refextract:
-
-  - Replaces usage of 'urllib' by 'requests' library and improves
-    manipulation with temporary file used for extraction of
-    references.
-
-+ script:
-
-  - Uses SQLAlchemy and SQLAlchemy-Utils to initialize the database
-    instead of executing mysql in a python subshell. (#2846) (#2844)
-
-+ search:
-
-  - The search results pages emits proper Cache and TTL information in
-    its HTTP headers, so that any eventual external cachers (such as
-    varnish) could act accordingly to invalidate their caches
-    automatically, without any configuration.  (#2302)
-
-  - Collection filtering of search results no longer returns orphan
-    records.
-
-  - Improves native facet creations.
-
-+ template:
-
-  - Replaces Invenio PNG logo with SVG version. This works better on
-    high resolution (retina) screens and it is supported by all
-    browers.
-
-+ unapi:
-
-  - Separates UnAPI url handling to a new module.
-
-+ upgrader:
-
-  - Clarifies that the upgrade dependency is only a best guess.
-    (#2561)
-
-+ workflows:
-
-  - Updates the layout of the details pages in Holding Pen to display
-    at which step the object is in the workflow.
-
-  - When rendering the task results, the Holding Pen now passes a
-    dictionary instead of a list in order to allow finer grained
-    control in the template.
+  - Improves exception handling of integrity errors raised by MySQLdb
+    library.
 
 Bug fixes
 ---------
 
-+ access:
-
-  - Sets the superadmin role ID properly when elaborating access
-    authorizations. Previously it was masked behind an application
-    context exception. (#3184)
++ OAIHarvest
 
-+ accounts:
+  - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which
+    could fail when the resumptiontoken was empty.
 
-  - Fixes invalid HTML of the 'remember me' login form checkbox.
++ access
 
-  - Corrects conditions on when to sent a notification email.
-    (addresses zenodo/zenodo#275) (#3163)
+  - Sets superadmin role ID included in roles list returned from
+    acc_find_possible_roles to the correct, current value. (#3390)
+    (#3392)
+  - Fixes the authorization delete query to consider NULL value on
+    id_accARGUMENT authorization column. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
+  - Fixes property id_accARGUMENT of AccAuthorization model.
 
-  - Fixes issue that allowed blocked accounts to login.
++ encoder
 
-+ classifier:
+  - Corrects the `compose_file` function call in `process_batch_job`
+    to produce `<directory>/content.<extension>` instead of
+    `<directory>/content.content;<extension>`. (#3354)
 
-  - Properly handles file paths containing a colon (:), avoiding bad
-    text extraction that causes (1) wrong results and (2) much slower
-    execution.
++ global
 
-  - Properly tags the execution of classifier as fast in the standard
-    workflow task when applicable.
+  - Fixes the way configuration variables are parsed from ENV. It now
+    uses the same method we are using in `inveniomanage config set`.
+    This fixes the problem that `False` is not parsed correctly.
 
-+ deposit:
++ i18n
 
-  - Fixes issue with PLUpload chunking not being enabled.
+  - Updates PO message catalogues and cleans them of duplicated
+    messages.  (#3455)
 
-  - Fixes "both collapse arrows are shown" bug in deposit frontend.
++ indexer
 
-+ formatter:
+  - Adds missing `get_nearest_terms_in_idxphrase_with_collection`
+    import. Fixes the name of field argument, and returns an empty
+    list when no model is passed.  (#3271)
 
-  - Changes the mimetype of the `id` output format to application/json
-    and properly returns a JSON formatted list of results.
++ installation
 
-+ indexer:
+  - Fixes database creation and upgrading by limiting Alembic version
+    to <0.7.
 
-  - Avoids an exception from happening when passing a unicode string
-    to the BibIndex engine washer. (#2981)
++ legacy
 
-+ installation:
+  - Addresses an issue with calling six urllib.parse in a wrong way,
+    making users unable to harvest manually from the command line.
 
-  - Fixes capitalization of package names.
++ login
 
-+ legacy:
+  - Provides flash message to indicate that an email with password
+    recovery could not be sent. (#3309)
 
-  - Fixes inveniogc crash when mysql is NOT used to store sessions.
-    (#3205)
++ search
 
-  - Catches also any `MySQLdb.OperationalError` coming from legacy
-    MySQL queries using `run_sql()`. (#3089)
-
-  - Fixes an issue with outputting the post-process arguments when
-    adding or editing an OAI source.
-
-+ oauthclient:
-
-  - Marks email address of users creating their account with oauth
-    process as invalid.
-
-  - Sends a validation email when users create their account with
-    oauth. (#2739)
-
-  - Improves security by leaving users' password uninitialized when
-    their account is created by the oauth module.
-
-+ records:
-
-  - Improves type consistency of keys and values in JSON record
-    created from MARC and retrieved from storage engine.  (#2772)
-
-  - Fixes double message flashing issues during 401 errors.
-
-  - Fixes issue with empty records not returning an 404 error.
-
-  - Fixes 500 error when record does not exist. (#2891)
-
-+ search:
-
-  - Fixes an issue of returning the wrong results when searching for
-    single values in the author field (e.g. 'author:ellis').
-
-+ submit:
-
-  - Fixes upgrade recipe for SbmCOLLECTION_SbmCOLLECTION table
-    introduced in commit @1021055. (#2954)
-
-+ workflows:
-
-  - Fixes an issue where the workflow engine would try to save a
-    function reference in the extra_data task history, causing an
-    error when serializing extra_data.
+  - Enforces query string to be unicode to overcome pypeg2 parsing
+    issues.  (#3296)
+  - Fixes admin interface for managing facets.  (#3333)
 
 Notes
 -----
 
-+ access:
-
-  - The default access role ID for the superadmin user is 1, but it
-    can be configured via CFG_SUPERADMINROLE_ID.
-
-  - Requires running `webaccessadmin -u admin -c -a -D` command.
-
-+ accounts:
-
-  - Changes user model fields family name/given names to store empty
-    string as default instead of null.
-
-  - Adds support for users to change email address/nickname. If you
-    store email addresses in e.g. records or fireroles you are
-    responsible for propagating the users change of email address by
-    adding listeners to the 'profile-updated' signal. Alternatively
-    you can migrate records (using
-    CFG_ACC_GRANT_AUTHOR_RIGHTS_TO_USERIDS_IN_TAGS and
-    CFG_ACC_GRANT_VIEWER_RIGHTS_TO_USERIDS_IN_TAGS) and fireroles
-    (using "allow/deny uid <uid>") to restrict access based on user id
-    instead of user email address.
-
-  - Refactors password hashing to (a) explicitly specify password salt
-    instead of relying on the email address, since a change of email
-    would cause the password to be invalidated (b) support multiple
-    password hashing algorithms concurrently (c) automatic migration
-    of deprecated hashes when users log in (d) allows overlays to
-    specify their preferred hashing algorithms.
-
-  - Deprecates legacy Invenio's hashing algorithm based on AES
-    encryption of email address using the password as secret key in
-    favor of SHA512 using random salt and 100000 rounds.
-
-+ assets:
-
-  - Updates Twitter Bootstrap to 3.3 to fix some issues, e.g. to low
-    colour contrast of navbar background<->font.  Requires update of
-    Twitter Bootstrap version in Invenio overlays.
-
-+ collections:
-
-  - The tag table now contains 'collection idetifier' with correct
-    'value' and 'recjson_value' ('' and '_collections').
-
-+ formatter:
-
-  - Invenio 1.x BFT template language and BFE elements are being
-    deprecated. Please migrate overlay output formats to use Jinja2.
-    (#2662)
-
-  - Removes fallback template rendering and puts standard exception
-    logging in place.  (#2958)
-
-+ global:
-
-  - Removes unused legacy cascade style sheets.  (#2040)
-
-+ indexer:
-
-  - The lower_index_term() now returns the term as a Unicode string
-    which can have an impact on custom tokenizers and regular
-    indexing.
-
-+ installation:
-
-  - Adds missing access rights for database user accessing server from
-    localhost.  (#3146)
-
-+ records:
++ global
 
-  - Ports basic BibDocFile serving including access right checks.
-    (#3160)
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: '(html_safe)', 'info(html_safe)',
+    'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)',
+    'success(html_safe)' instead of the standard ones (which are the
+    same without '(html safe)' at the end).
+  - Backports Flask-IIIF extension from original commit
+    213b6f1144734c9ecf425a1bc7b78e56ee5e4e3e. The extension is not
+    enabled by default in order to avoid feature addition to existing
+    minor release.
 
-+ unapi:
++ search
 
-  - Add `invenio.modules.unapi` to PACKAGES if you would like to keep
-    the `/unapi` url.
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: 'search-results-after(html_safe)',
+    'websearch-after-search-form(html_safe)' instead of the standard
+    ones (which are the same without '(html safe)' at the end).
 
 Installation
 ------------
 
-   $ pip install invenio
+   $ pip install invenio==2.1.1
 
 Upgrade
 -------
 
    $ bibsched stop
    $ sudo systemctl stop apache2
-   $ pip install --upgrade invenio==2.1.0
+   $ pip install --upgrade invenio==2.1.1
    $ inveniomanage upgrader check
    $ inveniomanage upgrader run
    $ sudo systemctl start apache2
@@ -563,7 +172,7 @@ Upgrade
 Documentation
 -------------
 
-   http://invenio.readthedocs.org/en/v2.1.0
+   http://invenio.readthedocs.org/en/v2.1.1
 
 Happy hacking and thanks for flying Invenio.
 
diff --git a/RELEASE-NOTES.rst b/RELEASE-NOTES.rst
index 5b9f1d749a..b4ff6f3dd7 100644
--- a/RELEASE-NOTES.rst
+++ b/RELEASE-NOTES.rst
@@ -1,8 +1,8 @@
 ============================
- Invenio v2.1.0 is released
+ Invenio v2.1.1 is released
 ============================
 
-Invenio v2.1.0 was released on June 16, 2015.
+Invenio v2.1.1 was released on September 1, 2015.
 
 About
 -----
@@ -13,548 +13,157 @@ digital library or document repository on the web.
 Security fixes
 --------------
 
-+ docker:
++ global
 
-  - Disables debug mode when using standard Docker image. Uses docker
-    compose to set the variable instead.
+  - Fixes potential XSS issues by changing main flash messages
+    template so that they are not displayed as safe HTML by default.
 
-Incompatible changes
---------------------
-
-+ access:
-
-  - Removes proprietary authentication protocol for robotlogin.
-    (#2972)
-
-  - Removes external authentication engines. Please use
-    `invenio.modules.oauthclient` or Flask-SSO instead.  (#1083)
-
-+ assets:
-
-  - Removes support for runtime compiling of less files in debug mode
-    when option LESS_RUN_IN_DEBUG is enabled. (#2923)
-
-  - Requires update of bootstrap version of overlays.
-
-+ collections:
-
-  - Collection reclist is not populated anymore. Use collection phrase
-    index using query matcher based on record data, hence no second
-    order operator will work in collection query definition.
-
-+ communities:
-
-  - Removes 'communities' module that has been externalised to
-    separate Python package called 'invenio_communities'.  Migration
-    can be done by running `pip install invenio_communities` and
-    adding 'invenio_communites' to PACKAGES.  (#3008)
-
-+ formatter:
-
-  - Database table 'format' and 'formatname' have been dropped and
-    foreign keys in other tables has been changed to use lower case
-    version of output format base filename without extension name.
-
-  - Output formats are no longer modifiable from web interface as they
-    syntax has been changed from custom "bfo" to "yml". (#2662)
-
-  - Custom output formats from the database needs to by merged with
-    `bfo` files to new `yml` files. Please follow instructions when
-    running `python scripts/output_format_migration_kit.py`.
-
-+ global:
-
-  - Removes old URL handlers for `/search` and `/record`.  (#2958)
-
-  - Enables 'sql_mode' as 'ansi_quotes' for quotes compatibility for
-    MySQL.
-
-  - Drops all active sessions during upgrade. Might result in log
-    entries about non-restorable sessions.
-
-  - Drops all active sessions during upgrade. Might result in log
-    entries about non-restorable sessions.
-
-  - Moves `deprecated` decorator under `invenio/utils/deprecation.py`
-
-  - Changes url_for behaviour to return always a unicode string.
-    (#2967)
-
-  - Deprecates invenio.config hack for legacy code. (#3106)
-
-  - Deprecates use of invenio.utils.redis in favor of
-    invenio.ext.cache. (#2885)
-
-  - Removes support for custom remote debuggers. (#2945)
-
-+ installation:
-
-  - Upgrades minimum SQLAlchemy version to resolve Enum life cycle
-    problems on PostgreSQL. (#2351)
-
-+ legacy:
-
-  - Specifies deprecation warnings for all remaining legacy modules
-    according to the latest Invenio 3 road map.
-
-  - Specifies deprecation warnings for legacy modules bibcirculation,
-    bibdocfile, bibedit, elmsubmit, websearch_external_collections,
-    and websubmit.
-
-  - Enables 'sql_mode' as 'ansi_quotes' for quotes compatibility for
-    MySQL.
-
-  - Removes deprecated bibknowledge module.
-
-  - Removes deprecated `inveniocfg` command line interface.
-
-+ multimedia:
-
-  - Depreactes multimedia module.
-
-+ search:
-
-  - Removes support for legacy `perform_request_search` and
-    `search_unit` API functions.
-
-  - Removes support for specific Aleph idendifiers from search engine.
-
-New features
-------------
-
-+ access:
-
-  - Adds 'usedeposit' action which enables per user access
-    restrictions for different deposit types.  (#2724)
-
-  - Adds the ability to restrict access per object independently from
-    the parent.
-
-+ accounts:
-
-  - Adds support for allowing users to update their profile (nickname,
-    email, family name and given name).
-
-  - Adds support for users to re-request an verification email to be
-    sent.
-
-  - Adds new Passlib Flask extension to support configurable password
-    contexts in Invenio. (#2874)
-
-  - Adds panel blocks to settings templates.
-
-+ babel:
-
-  - Adds datetime localization template filters.
-
-+ collections:
-
-  - Adds new calculated field '_collections' to records from which the
-    'collection' index is created.  (#2638)
-
-+ deposit:
-
-  - Adds generic JinjaField and JinjaWidget to render templates as
-    form fields. This might be used in case longer explainations are
-    required for forms or to add pictures and other material that may
-    increase usability.
-
-+ global:
-
-  - Uses Flask-IIIF extension providing various image manipulation
-    capabilities.
-
-  - Adds possibility to refer to documents and legacy BibDocFiles via
-    special path such as `/api/multimedia/image/recid:{recid}` or
-    `/api/multimedia/image/recid:{recid}-{filename}` or
-    `/api/multimedia/image/uuid` with proper permission checking.
-    (#3080) (#3084)
-
-  - Adds general pagination macro for Flask-SQLAlchemy Pagination
-    object.  (PR #3006)
-
-  - Adds 'noscript' block to the page template to warn users with
-    disabled JavaScript on their browser.  (#1039)
-
-+ knowledge:
-
-  - Adds manager to knowledge with a command to load mappings into an
-    existing knowledge base from a file. E.g. `inveniomanage knowledge
-    load kb_name /path/to/file.kb`
-
-+ oauthclient:
-
-  - Adds support for CERN OAuth authentication.
-
-+ records:
-
-  - Adds support for granting author/viewer rights to records via tags
-    by specifying CFG_ACC_GRANT_AUTHOR_RIGHTS_TO_USERIDS_IN_TAGS
-    and/or CFG_ACC_GRANT_VIEWER_RIGHTS_TO_USERIDS_IN_TAGS. (#2873)
-
-+ script:
-
-  - Implements optional TLS encryption directly by Werkzeug. Adds many
-    configuration variables (`SERVER_TLS_*`) to control the behaviour.
-
-  - Adds support for PostgreSQL database initialization.
-
-+ search:
-
-  - Implements a mechanism that enhances user queries.  The enhancer
-    functions are specified in the 'SEARCH_QUERY_ENHANCERS' and later
-    they are applied to the query AST one after the other in the
-    search method.  (#2987)
-
-  - Adds new API for querying records.
-
-  - Adds new configuration option SEARCH_WALKERS which specifies
-    visitor classes that should be applied to a search query.
-
-  - Adds additional search units for the auxiliary author fields
-    `firstauthor`, `exactauthor`, `exactfirstauthor` and
-    `authorityauthor`.
-
-  - Adds missing operator handling of greater than (>) queries.
-
-  - Adds new configuration varibles `SEARCH_QUERY_PARSER` and
-    `SEARCH_QUERY_WALKERS` for query parser.
++ search
 
-  - Adds new API for record matching againts given query.
+  - Fixes potential XSS issues by changing search flash messages
+    template so that they are not displayed as safe HTML by default.
 
-+ template:
-
-  - Adds bootstrap scrollspy to the base template so it can be used by
-    all modules.
+Incompatible changes
+--------------------
 
-+ workflows:
++ access
 
-  - Adds new buttons to the Holding Pen details pages to delete and
-    restart current task.
+  - Removes configuration option CFG_SUPERADMINROLE_ID.
+  - Replaces all zero values with NULL in the table
+    accROLE_accACTION_accARGUMENT. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
 
 Improved features
 -----------------
 
-+ accounts:
-
-  - Improves legend alignment in login form.
-
-+ classifier:
-
-  - Improves the stripping of reference section when extracting text
-    from PDF by using a more appropriate refextract API.
-
-+ deposit:
-
-  - Corrects reflow on narrow screens and removes misused classes for
-    labels.
-
-  - Adds sticky navigation item to the deposit page to simplify
-    overview on larger forms. Works well with collapsed elements. On
-    narrow screens the navigation gets pushed in front of all other
-    form elements.
-
-  - Improves handling of large files in deposit.
-
-  - Fixes problem with misaligned checkbox and radio list items. They
-    are produced because wtforms does not wrap input elements into
-    labels as it is intended by the bootstrap framework.
-
-+ docker:
-
-  - Changes port number exposed by docker to non-reserved ones to
-    avoid conflicts with local installations. Webport is now 28080,
-    Redis 26379 and MySQL is 23306, which is a simple +20000 shift
-    from the standard ports.
-
-  - Integrates docker boot script into docker image.
-
-  - Changes docker boot script to use `exec`. This ensure signal
-    forwarding and reduces the overhead by one process. As a result
-    container shutdown is faster now.
-
-  - Changes manual master/slave configuration of Docker devboot script
-    to automatic solution using file locks.
-
-+ formatter:
-
-  - Improves support for translated output format names on search
-    results page.  (#2429)
-
-+ global:
++ I18N
 
-  - Supports database creation on PostgreSQL server.
+  - Completes Italian translation.
+  - Completes French translation.
 
-  - Implements session signing. This avoids cache request for invalid
-    sessions and reduces the DDoS attack surface.
++ accounts
 
-  - Removes IP address storage+checks. This avoids data privacy issues
-    and enables users with multiple connections (e.g. WIFI+LTE,
-    multiple WIFI connections on trains+stations) to stay signed in.
+  - Uses the localized site name when sending email to users. (#3273)
 
-  - Enhances `run_py_func` to be able to print both to some StringIO
-    and to the terminal at the same time. This is enabled with the
-    `passthrough` argument. It now also always returns stderr,
-    deprecating the `capture_stderr` argument. The return value is now
-    a namedtuple so that one can easily fetch the required value. Its
-    arguments to a more natural order (name of the executable first
-    and arguments afterwards.
++ docker
 
-  - Supports database creation on PostgreSQL server.
+  - Improves Docker documentation notably related to how to work with
+    Invenio site overlays.
 
-  - Improves compatibility of Text fields in PostrgeSQL by changing
-    Text in models and removes Invenio hacks on MySQL Index and
-    Primary Key creation because starting from SQLAlchemy>=1.0 it
-    arises an exception if the length is specified. (#3037)
++ global
 
-+ knowledge:
+  - Adds super(SmartDict, self).__init__ call in the __init__ method
+    in SmartDict to be able to make multiple inheritance in Record
+    class in invenio-records and be able to call both parent's
+    __init__.
 
-  - Relaxes constraints on dynamic search function that used to force
-    us to create temporary knowledge base. (#698)
++ jasmine
 
-+ legacy:
+  - Allows using variables from application config for building asset
+    bundles.
 
-  - Supports database creation on PostgreSQL server.
++ legacy
 
-+ oauthclient:
-
-  - Extra template block addition.
-
-+ refextract:
-
-  - Replaces usage of 'urllib' by 'requests' library and improves
-    manipulation with temporary file used for extraction of
-    references.
-
-+ script:
-
-  - Uses SQLAlchemy and SQLAlchemy-Utils to initialize the database
-    instead of executing mysql in a python subshell. (#2846) (#2844)
-
-+ search:
-
-  - The search results pages emits proper Cache and TTL information in
-    its HTTP headers, so that any eventual external cachers (such as
-    varnish) could act accordingly to invalidate their caches
-    automatically, without any configuration.  (#2302)
-
-  - Collection filtering of search results no longer returns orphan
-    records.
-
-  - Improves native facet creations.
-
-+ template:
-
-  - Replaces Invenio PNG logo with SVG version. This works better on
-    high resolution (retina) screens and it is supported by all
-    browers.
-
-+ unapi:
-
-  - Separates UnAPI url handling to a new module.
-
-+ upgrader:
-
-  - Clarifies that the upgrade dependency is only a best guess.
-    (#2561)
-
-+ workflows:
-
-  - Updates the layout of the details pages in Holding Pen to display
-    at which step the object is in the workflow.
-
-  - When rendering the task results, the Holding Pen now passes a
-    dictionary instead of a list in order to allow finer grained
-    control in the template.
+  - Improves exception handling of integrity errors raised by MySQLdb
+    library.
 
 Bug fixes
 ---------
 
-+ access:
-
-  - Sets the superadmin role ID properly when elaborating access
-    authorizations. Previously it was masked behind an application
-    context exception. (#3184)
++ OAIHarvest
 
-+ accounts:
+  - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which
+    could fail when the resumptiontoken was empty.
 
-  - Fixes invalid HTML of the 'remember me' login form checkbox.
++ access
 
-  - Corrects conditions on when to sent a notification email.
-    (addresses zenodo/zenodo#275) (#3163)
+  - Sets superadmin role ID included in roles list returned from
+    acc_find_possible_roles to the correct, current value. (#3390)
+    (#3392)
+  - Fixes the authorization delete query to consider NULL value on
+    id_accARGUMENT authorization column. The usage of NULL value in
+    substitution of zero value was introduced in the commit 7974188
+    because Foreign Key does not support it.
+  - Fixes property id_accARGUMENT of AccAuthorization model.
 
-  - Fixes issue that allowed blocked accounts to login.
++ encoder
 
-+ classifier:
+  - Corrects the `compose_file` function call in `process_batch_job`
+    to produce `<directory>/content.<extension>` instead of
+    `<directory>/content.content;<extension>`. (#3354)
 
-  - Properly handles file paths containing a colon (:), avoiding bad
-    text extraction that causes (1) wrong results and (2) much slower
-    execution.
++ global
 
-  - Properly tags the execution of classifier as fast in the standard
-    workflow task when applicable.
+  - Fixes the way configuration variables are parsed from ENV. It now
+    uses the same method we are using in `inveniomanage config set`.
+    This fixes the problem that `False` is not parsed correctly.
 
-+ deposit:
++ i18n
 
-  - Fixes issue with PLUpload chunking not being enabled.
+  - Updates PO message catalogues and cleans them of duplicated
+    messages.  (#3455)
 
-  - Fixes "both collapse arrows are shown" bug in deposit frontend.
++ indexer
 
-+ formatter:
+  - Adds missing `get_nearest_terms_in_idxphrase_with_collection`
+    import. Fixes the name of field argument, and returns an empty
+    list when no model is passed.  (#3271)
 
-  - Changes the mimetype of the `id` output format to application/json
-    and properly returns a JSON formatted list of results.
++ installation
 
-+ indexer:
+  - Fixes database creation and upgrading by limiting Alembic version
+    to <0.7.
 
-  - Avoids an exception from happening when passing a unicode string
-    to the BibIndex engine washer. (#2981)
++ legacy
 
-+ installation:
+  - Addresses an issue with calling six urllib.parse in a wrong way,
+    making users unable to harvest manually from the command line.
 
-  - Fixes capitalization of package names.
++ login
 
-+ legacy:
+  - Provides flash message to indicate that an email with password
+    recovery could not be sent. (#3309)
 
-  - Fixes inveniogc crash when mysql is NOT used to store sessions.
-    (#3205)
++ search
 
-  - Catches also any `MySQLdb.OperationalError` coming from legacy
-    MySQL queries using `run_sql()`. (#3089)
-
-  - Fixes an issue with outputting the post-process arguments when
-    adding or editing an OAI source.
-
-+ oauthclient:
-
-  - Marks email address of users creating their account with oauth
-    process as invalid.
-
-  - Sends a validation email when users create their account with
-    oauth. (#2739)
-
-  - Improves security by leaving users' password uninitialized when
-    their account is created by the oauth module.
-
-+ records:
-
-  - Improves type consistency of keys and values in JSON record
-    created from MARC and retrieved from storage engine.  (#2772)
-
-  - Fixes double message flashing issues during 401 errors.
-
-  - Fixes issue with empty records not returning an 404 error.
-
-  - Fixes 500 error when record does not exist. (#2891)
-
-+ search:
-
-  - Fixes an issue of returning the wrong results when searching for
-    single values in the author field (e.g. 'author:ellis').
-
-+ submit:
-
-  - Fixes upgrade recipe for SbmCOLLECTION_SbmCOLLECTION table
-    introduced in commit @1021055. (#2954)
-
-+ workflows:
-
-  - Fixes an issue where the workflow engine would try to save a
-    function reference in the extra_data task history, causing an
-    error when serializing extra_data.
+  - Enforces query string to be unicode to overcome pypeg2 parsing
+    issues.  (#3296)
+  - Fixes admin interface for managing facets.  (#3333)
 
 Notes
 -----
 
-+ access:
-
-  - The default access role ID for the superadmin user is 1, but it
-    can be configured via CFG_SUPERADMINROLE_ID.
-
-  - Requires running `webaccessadmin -u admin -c -a -D` command.
-
-+ accounts:
-
-  - Changes user model fields family name/given names to store empty
-    string as default instead of null.
-
-  - Adds support for users to change email address/nickname. If you
-    store email addresses in e.g. records or fireroles you are
-    responsible for propagating the users change of email address by
-    adding listeners to the 'profile-updated' signal. Alternatively
-    you can migrate records (using
-    CFG_ACC_GRANT_AUTHOR_RIGHTS_TO_USERIDS_IN_TAGS and
-    CFG_ACC_GRANT_VIEWER_RIGHTS_TO_USERIDS_IN_TAGS) and fireroles
-    (using "allow/deny uid <uid>") to restrict access based on user id
-    instead of user email address.
-
-  - Refactors password hashing to (a) explicitly specify password salt
-    instead of relying on the email address, since a change of email
-    would cause the password to be invalidated (b) support multiple
-    password hashing algorithms concurrently (c) automatic migration
-    of deprecated hashes when users log in (d) allows overlays to
-    specify their preferred hashing algorithms.
-
-  - Deprecates legacy Invenio's hashing algorithm based on AES
-    encryption of email address using the password as secret key in
-    favor of SHA512 using random salt and 100000 rounds.
-
-+ assets:
-
-  - Updates Twitter Bootstrap to 3.3 to fix some issues, e.g. to low
-    colour contrast of navbar background<->font.  Requires update of
-    Twitter Bootstrap version in Invenio overlays.
-
-+ collections:
-
-  - The tag table now contains 'collection idetifier' with correct
-    'value' and 'recjson_value' ('' and '_collections').
-
-+ formatter:
-
-  - Invenio 1.x BFT template language and BFE elements are being
-    deprecated. Please migrate overlay output formats to use Jinja2.
-    (#2662)
-
-  - Removes fallback template rendering and puts standard exception
-    logging in place.  (#2958)
-
-+ global:
-
-  - Removes unused legacy cascade style sheets.  (#2040)
-
-+ indexer:
-
-  - The lower_index_term() now returns the term as a Unicode string
-    which can have an impact on custom tokenizers and regular
-    indexing.
-
-+ installation:
-
-  - Adds missing access rights for database user accessing server from
-    localhost.  (#3146)
-
-+ records:
++ global
 
-  - Ports basic BibDocFile serving including access right checks.
-    (#3160)
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: '(html_safe)', 'info(html_safe)',
+    'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)',
+    'success(html_safe)' instead of the standard ones (which are the
+    same without '(html safe)' at the end).
+  - Backports Flask-IIIF extension from original commit
+    213b6f1144734c9ecf425a1bc7b78e56ee5e4e3e. The extension is not
+    enabled by default in order to avoid feature addition to existing
+    minor release.
 
-+ unapi:
++ search
 
-  - Add `invenio.modules.unapi` to PACKAGES if you would like to keep
-    the `/unapi` url.
+  - Displaying HTML safe flash messages can be done by using one of
+    these flash contexts: 'search-results-after(html_safe)',
+    'websearch-after-search-form(html_safe)' instead of the standard
+    ones (which are the same without '(html safe)' at the end).
 
 Installation
 ------------
 
-   $ pip install invenio
+   $ pip install invenio==2.1.1
 
 Upgrade
 -------
 
    $ bibsched stop
    $ sudo systemctl stop apache2
-   $ pip install --upgrade invenio==2.1.0
+   $ pip install --upgrade invenio==2.1.1
    $ inveniomanage upgrader check
    $ inveniomanage upgrader run
    $ sudo systemctl start apache2
@@ -563,7 +172,7 @@ Upgrade
 Documentation
 -------------
 
-   http://invenio.readthedocs.org/en/v2.1.0
+   http://invenio.readthedocs.org/en/v2.1.1
 
 Happy hacking and thanks for flying Invenio.
 
diff --git a/invenio/version.py b/invenio/version.py
index d95a70df4a..d23126c773 100644
--- a/invenio/version.py
+++ b/invenio/version.py
@@ -30,7 +30,7 @@
 # - revision can be set if you want to override the date coming from git.
 #
 # See the doctest below.
-version = (2, 1, 1, 'dev', 20150901)
+version = (2, 1, 1)
 
 
 def build_version(*args):