diff --git a/forgejo-src-7.0.6.tar.gz b/forgejo-src-7.0.6.tar.gz
deleted file mode 100644
index 55231b9..0000000
--- a/forgejo-src-7.0.6.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b33ca271d4d8ecf00ce80d2ee14888d40265ab648b880fd9bb9916bf9e88b15b
-size 53489756
diff --git a/forgejo-src-7.0.6.tar.gz.asc b/forgejo-src-7.0.6.tar.gz.asc
deleted file mode 100644
index 101ca15..0000000
--- a/forgejo-src-7.0.6.tar.gz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZqjZygAKCRCkthotxZI3
-EJmNAP9IiHThCEotiYrOt3YzdOeaEAM3vfLzyf4PN1jWibbiogEAzGyWuho+MH8z
-9TqdaLJIF/T3L62r/TgZ+mlZ0HHkLQM=
-=ExB8
------END PGP SIGNATURE-----
diff --git a/forgejo-src-7.0.7.tar.gz b/forgejo-src-7.0.7.tar.gz
new file mode 100644
index 0000000..a7778dd
--- /dev/null
+++ b/forgejo-src-7.0.7.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba66fa2bf335149d6bda0a943bcbb2021af3692f10c10ede646cdcabfe762029
+size 53549049
diff --git a/forgejo-src-7.0.7.tar.gz.asc b/forgejo-src-7.0.7.tar.gz.asc
new file mode 100644
index 0000000..aeb8e4e
--- /dev/null
+++ b/forgejo-src-7.0.7.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYTZAAKCRCkthotxZI3
+EPgYAP9o2VTTDnul4cDr6xEfw9k90sk323uk4WhcSktc+qgxqwEAmUKcJ4pk7scZ
+O2O5Ru3o7nomtBPrflFoGJXKO8ACrQ8=
+=7IAF
+-----END PGP SIGNATURE-----
diff --git a/forgejo.changes b/forgejo.changes
index 810c24e..70eface 100644
--- a/forgejo.changes
+++ b/forgejo.changes
@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Fri Aug  9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 7.0.7:
+  This is a security release. See the documentation for more
+  information on the upgrade procedure.
+  * Security
+    - A change introduced in Forgejo v1.21 allows a Forgejo user
+      with write permission on a repository description to inject a
+      client-side script into the web page viewed by the visitor.
+      This XSS allows for href in anchor elements to be set to a
+      javascript: URI in the repository description, which will
+      execute the specified script upon clicking (and not upon
+      loading). AllowStandardURLs is now called for the repository
+      description policy, which ensures that URIs in anchor
+      elements are mailto:, http:// or https:// and thereby
+      disallowing the javascript: URI.
+  * Bug fixes
+    - PR (backported): disallow javascript: URI in the repository
+      description
+  * Localization
+    - PR (backported): i18n: backport of #4568 #4668 and #4783 to
+      v7
+
 -------------------------------------------------------------------
 Thu Aug  1 10:50:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 
diff --git a/forgejo.spec b/forgejo.spec
index 15fa8d6..1c51133 100644
--- a/forgejo.spec
+++ b/forgejo.spec
@@ -30,7 +30,7 @@
 %endif
 %endif
 Name:           forgejo
-Version:        7.0.6
+Version:        7.0.7
 Release:        0
 Summary:        Self-hostable forge
 License:        MIT