diff --git a/VERSION b/VERSION
index e4ae2348371a..e34208c9371c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.15.4-dev
+1.15.4
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
index e8a1538b4bc8..977e24f54c7b 100644
--- a/docs/root/version_history/current.rst
+++ b/docs/root/version_history/current.rst
@@ -1,9 +1,11 @@
-1.15.4 (Pending)
-================
+1.15.4 (April 15, 2021)
+=======================
 
 Changes
 -------
 
+* http: fixed a crash upon receiving empty HTTP/2 metadata frames. Received empty metadata frames are now counted in the HTTP/2 codec stat :ref:`metadata_empty_frames <config_http_conn_man_stats_per_codec>`.
+* http: fixed a remotely exploitable integer overflow via a very large grpc-timeout value causes undefined behavior.
 * http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses.
 * http: fixed bugs in datadog and squash filter's handling of responses with no bodies.
 * http: reverting a behavioral change where upstream connect timeouts were temporarily treated differently from other connection failures. The change back to the original behavior can be temporarily reverted by setting `envoy.reloadable_features.treat_upstream_connect_timeout_as_connect_failure` to false.
@@ -18,3 +20,4 @@ New Features
 
 Deprecated
 ----------
+