diff --git a/noVNC-0.5.1.tar.gz b/noVNC-0.5.1.tar.gz
deleted file mode 100644
index 00bb8c9..0000000
--- a/noVNC-0.5.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:095c1ce62fb9fd673123d0ba124a630757b6c11ab2f57847e44a2f35ef50a18c
-size 776887
diff --git a/noVNC-0.6.2.tar.gz b/noVNC-0.6.2.tar.gz
new file mode 100644
index 0000000..8cfc383
--- /dev/null
+++ b/noVNC-0.6.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70a27fe472b901faef7235a61e01aed884ec8c2234a666844acfd9da7e5bcf9b
+size 600675
diff --git a/novnc.changes b/novnc.changes
index b2fd272..7730e35 100644
--- a/novnc.changes
+++ b/novnc.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Jul 22 08:11:49 UTC 2017 - dmueller@suse.com
+
+- Update to 0.6.2:
+  _This is a vulnerability fix release._
+
+  Fixes a XSS issue in which the remote VNC server could inject
+  arbitrary HTML into the noVNC web page via the messages propagated
+  to the status field, such as the VNC server name.
+
+  This affects users of vnc_auto.html and vnc.html, as well as any
+  users of include/ui.js.
+
 -------------------------------------------------------------------
 Mon Dec  7 16:42:51 UTC 2015 - dvaleev@suse.com
 
diff --git a/novnc.spec b/novnc.spec
index b62565f..1d87d4c 100644
--- a/novnc.spec
+++ b/novnc.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package novnc
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           novnc
-Version:        0.5.1
+Version:        0.6.2
 Release:        0
 Summary:        VNC client using HTML5 (Web Sockets, Canvas) with encryption support
 License:        MPL-2.0 and LGPL-3.0