diff --git a/CHANGES.rst b/CHANGES.rst
index 21e1f4490ba..cd5dc19d847 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -10,6 +10,223 @@
 
 .. towncrier release notes start
 
+3.13.4 (2026-03-28)
+===================
+
+Features
+--------
+
+- Added ``max_headers`` parameter to limit the number of headers that should be read from a response -- by :user:`Dreamsorcerer`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11955`.
+
+
+
+- Added a ``dns_cache_max_size`` parameter to ``TCPConnector`` to limit the size of the cache -- by :user:`Dreamsorcerer`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12106`.
+
+
+
+Bug fixes
+---------
+
+- Fixed server hanging indefinitely when chunked transfer encoding chunk-size
+  does not match actual data length. The server now raises
+  ``TransferEncodingError`` instead of waiting forever for data that will
+  never arrive -- by :user:`Fridayai700`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`10596`.
+
+
+
+- Fixed access log timestamps ignoring daylight saving time (DST) changes. The
+  previous implementation used :py:data:`time.timezone` which is a constant and
+  does not reflect DST transitions -- by :user:`nightcityblade`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11283`.
+
+
+
+- Fixed ``RuntimeError: An event loop is running`` error when using ``aiohttp.GunicornWebWorker``
+  or ``aiohttp.GunicornUVLoopWebWorker`` on Python >=3.14.
+  -- by :user:`Tasssadar`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11701`.
+
+
+
+- Fixed :exc:`ValueError` when creating a TLS connection with ``ClientTimeout(total=0)`` by converting ``0`` to ``None`` before passing to ``ssl_handshake_timeout`` in :py:meth:`asyncio.loop.start_tls` -- by :user:`veeceey`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11859`.
+
+
+
+- Restored :py:meth:`~aiohttp.BodyPartReader.decode` as a synchronous method
+  for backward compatibility. The method was inadvertently changed to async
+  in 3.13.3 as part of the decompression bomb security fix. A new
+  :py:meth:`~aiohttp.BodyPartReader.decode_iter` method is now available
+  for non-blocking decompression of large payloads using an async generator.
+  Internal aiohttp code uses the async variant to maintain security protections.
+
+  Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
+  match aiohttp internals
+  -- by :user:`bdraco` and :user:`Dreamsorcerer`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11898`.
+
+
+
+- Fixed false-positive :py:class:`DeprecationWarning` for passing ``enable_cleanup_closed=True`` to :py:class:`~aiohttp.TCPConnector` specifically on Python 3.12.7.
+  -- by :user:`Robsdedude`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11972`.
+
+
+
+- Fixed _sendfile_fallback over-reading beyond requested count -- by :user:`bysiber`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12096`.
+
+
+
+- Fixed digest auth dropping challenge fields with empty string values -- by :user:`bysiber`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12097`.
+
+
+
+- ``ClientConnectorCertificateError.os_error`` no longer raises :exc:`AttributeError`
+  -- by :user:`themylogin`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12136`.
+
+
+
+- Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
+  -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12231`.
+
+
+
+- Rejected duplicate singleton headers (``Host``, ``Content-Type``,
+  ``Content-Length``, etc.) in the C extension HTTP parser to match
+  the pure Python parser behaviour, preventing potential host-based
+  access control bypasses via parser differentials
+  -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12240`.
+
+
+
+- Aligned the pure-Python HTTP request parser with the C parser by splitting
+  comma-separated and repeated ``Connection`` header values for keep-alive,
+  close, and upgrade handling -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12249`.
+
+
+
+
+Improved documentation
+----------------------
+
+- Documented :exc:`asyncio.TimeoutError` for ``WebSocketResponse.receive()``
+  and related methods -- by :user:`veeceey`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12042`.
+
+
+
+
+Packaging updates and notes for downstreams
+-------------------------------------------
+
+- Upgraded llhttp to 3.9.1 -- by :user:`Dreamsorcerer`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12069`.
+
+
+
+
+Contributor-facing changes
+--------------------------
+
+- The benchmark CI job now runs only in the upstream repository -- by :user:`Cycloctane`.
+
+  It used to always fail in forks, which this change fixed.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11737`.
+
+
+
+- Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11992`.
+
+
+
+
+Miscellaneous internal changes
+------------------------------
+
+- Fixed ``test_invalid_idna`` to work with ``idna`` 3.11 by using an invalid character (``\u0080``) that is rejected by ``yarl`` during URL construction -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12027`.
+
+
+
+- Fixed race condition in ``test_data_file`` on Python 3.14 free-threaded builds -- by :user:`rodrigobnogueira`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`12170`.
+
+
+
+
+----
+
+
 3.13.3 (2026-01-03)
 ===================
 
diff --git a/CHANGES/10596.bugfix.rst b/CHANGES/10596.bugfix.rst
deleted file mode 100644
index f96a0215de3..00000000000
--- a/CHANGES/10596.bugfix.rst
+++ /dev/null
@@ -1,4 +0,0 @@
-Fixed server hanging indefinitely when chunked transfer encoding chunk-size
-does not match actual data length. The server now raises
-``TransferEncodingError`` instead of waiting forever for data that will
-never arrive -- by :user:`Fridayai700`.
diff --git a/CHANGES/11283.bugfix.rst b/CHANGES/11283.bugfix.rst
deleted file mode 100644
index 966b9afbd00..00000000000
--- a/CHANGES/11283.bugfix.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Fixed access log timestamps ignoring daylight saving time (DST) changes. The
-previous implementation used :py:data:`time.timezone` which is a constant and
-does not reflect DST transitions -- by :user:`nightcityblade`.
diff --git a/CHANGES/11737.contrib.rst b/CHANGES/11737.contrib.rst
deleted file mode 100644
index 2b793f41d6c..00000000000
--- a/CHANGES/11737.contrib.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-The benchmark CI job now runs only in the upstream repository -- by :user:`Cycloctane`.
-
-It used to always fail in forks, which this change fixed.
diff --git a/CHANGES/11859.bugfix.rst b/CHANGES/11859.bugfix.rst
deleted file mode 100644
index 1efb26813d7..00000000000
--- a/CHANGES/11859.bugfix.rst
+++ /dev/null
@@ -1 +0,0 @@
-Removed support for ``ClientTimeout(total=0)`` to disable timeouts. Use ``None`` instead of ``0`` to disable the total timeout. Passing ``0`` now raises :exc:`ValueError` with a clear error message -- by :user:`veeceey`.
diff --git a/CHANGES/11898.bugfix.rst b/CHANGES/11898.bugfix.rst
deleted file mode 100644
index 2a2e41d037b..00000000000
--- a/CHANGES/11898.bugfix.rst
+++ /dev/null
@@ -1,10 +0,0 @@
-Restored :py:meth:`~aiohttp.BodyPartReader.decode` as a synchronous method
-for backward compatibility. The method was inadvertently changed to async
-in 3.13.3 as part of the decompression bomb security fix. A new
-:py:meth:`~aiohttp.BodyPartReader.decode_iter` method is now available
-for non-blocking decompression of large payloads using an async generator.
-Internal aiohttp code uses the async variant to maintain security protections.
-
-Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
-match aiohttp internals
--- by :user:`bdraco` and :user:`Dreamsorcerer`.
diff --git a/CHANGES/11955.feature.rst b/CHANGES/11955.feature.rst
deleted file mode 100644
index eaea1016e60..00000000000
--- a/CHANGES/11955.feature.rst
+++ /dev/null
@@ -1 +0,0 @@
-Added ``max_headers`` parameter to limit the number of headers that should be read from a response -- by :user:`Dreamsorcerer`.
diff --git a/CHANGES/11972.bugfix.rst b/CHANGES/11972.bugfix.rst
deleted file mode 100644
index 8a6c2f56f28..00000000000
--- a/CHANGES/11972.bugfix.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Fixed false-positive :py:class:`DeprecationWarning` for passing ``enable_cleanup_closed=True`` to :py:class:`~aiohttp.TCPConnector` specifically on Python 3.12.7.
--- by :user:`Robsdedude`.
diff --git a/CHANGES/11992.contrib.rst b/CHANGES/11992.contrib.rst
deleted file mode 100644
index c56c2ab7059..00000000000
--- a/CHANGES/11992.contrib.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:`rodrigobnogueira`.
diff --git a/CHANGES/12027.misc.rst b/CHANGES/12027.misc.rst
deleted file mode 100644
index 0b14de408a9..00000000000
--- a/CHANGES/12027.misc.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fixed ``test_invalid_idna`` to work with ``idna`` 3.11 by using an invalid character (``\u0080``) that is rejected by ``yarl`` during URL construction -- by :user:`rodrigobnogueira`.
diff --git a/CHANGES/12042.doc.rst b/CHANGES/12042.doc.rst
deleted file mode 100644
index 50c30f28cdf..00000000000
--- a/CHANGES/12042.doc.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Documented :exc:`asyncio.TimeoutError` for ``WebSocketResponse.receive()``
-and related methods -- by :user:`veeceey`.
diff --git a/CHANGES/12069.packaging.rst b/CHANGES/12069.packaging.rst
deleted file mode 100644
index a5c79a7cebe..00000000000
--- a/CHANGES/12069.packaging.rst
+++ /dev/null
@@ -1 +0,0 @@
-Upgraded llhttp to 3.9.1 -- by :user:`Dreamsorcerer`.
diff --git a/CHANGES/12096.bugfix.rst b/CHANGES/12096.bugfix.rst
deleted file mode 100644
index 945b452309a..00000000000
--- a/CHANGES/12096.bugfix.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fixed _sendfile_fallback over-reading beyond requested count -- by :user:`bysiber`.
diff --git a/CHANGES/12097.bugfix.rst b/CHANGES/12097.bugfix.rst
deleted file mode 100644
index 1ea88a8c087..00000000000
--- a/CHANGES/12097.bugfix.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fixed digest auth dropping challenge fields with empty string values -- by :user:`bysiber`.
diff --git a/CHANGES/12106.feature.rst b/CHANGES/12106.feature.rst
deleted file mode 100644
index daa9088eed6..00000000000
--- a/CHANGES/12106.feature.rst
+++ /dev/null
@@ -1 +0,0 @@
-Added a ``dns_cache_max_size`` parameter to ``TCPConnector`` to limit the size of the cache -- by :user:`Dreamsorcerer`.
diff --git a/CHANGES/12136.bugfix.rst b/CHANGES/12136.bugfix.rst
deleted file mode 100644
index 14ad7edf326..00000000000
--- a/CHANGES/12136.bugfix.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-``ClientConnectorCertificateError.os_error`` no longer raises :exc:`AttributeError`
--- by :user:`themylogin`.
diff --git a/CHANGES/12170.misc.rst b/CHANGES/12170.misc.rst
deleted file mode 100644
index 23c63db50e9..00000000000
--- a/CHANGES/12170.misc.rst
+++ /dev/null
@@ -1 +0,0 @@
-Fixed race condition in ``test_data_file`` on Python 3.14 free-threaded builds -- by :user:`rodrigobnogueira`.
diff --git a/CHANGES/12231.bugfix.rst b/CHANGES/12231.bugfix.rst
deleted file mode 100644
index cd74bd1e7e5..00000000000
--- a/CHANGES/12231.bugfix.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
--- by :user:`rodrigobnogueira`.
diff --git a/CHANGES/12240.bugfix.rst b/CHANGES/12240.bugfix.rst
deleted file mode 100644
index 49508b3f595..00000000000
--- a/CHANGES/12240.bugfix.rst
+++ /dev/null
@@ -1,5 +0,0 @@
-Rejected duplicate singleton headers (``Host``, ``Content-Type``,
-``Content-Length``, etc.) in the C extension HTTP parser to match
-the pure Python parser behavior, preventing potential host-based
-access control bypasses via parser differentials
--- by :user:`rodrigobnogueira`.
diff --git a/CHANGES/12249.bugfix.rst b/CHANGES/12249.bugfix.rst
deleted file mode 100644
index 42d90314110..00000000000
--- a/CHANGES/12249.bugfix.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-Aligned the pure-Python HTTP request parser with the C parser by splitting
-comma-separated and repeated ``Connection`` header values for keep-alive,
-close, and upgrade handling -- by :user:`rodrigobnogueira`.