diff --git a/resources/releasedocs/changelog.html b/resources/releasedocs/changelog.html
index 01c8a003b..cb513e360 100644
--- a/resources/releasedocs/changelog.html
+++ b/resources/releasedocs/changelog.html
@@ -141,6 +141,18 @@ hr {
 
 	<div id="pageBody">
 
+
+<h2>4.1.9 -- <span style="font-weight: normal;">2016-11-19</span></h2>
+
+<h2>        Bug
+</h2>
+<ul>
+<li>[<a href='https://issues.igniterealtime.org/browse/SMACK-739'>SMACK-739</a>] -         Smack starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used
+</li>
+<li>[<a href='https://issues.igniterealtime.org/browse/SMACK-735'>SMACK-735</a>] -         Smack sometimes sends invalid SCRAM-SHA1 nonce
+</li>
+</ul>
+
 <h2>4.1.8 -- <span style="font-weight: normal;">2016-07-30</span></h2>
 
 <h2>        Bug
diff --git a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
index 0a6d6d6f1..fc9413cad 100644
--- a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
@@ -269,7 +269,10 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
         if (c == ',') {
             return false;
         }
-        return c >= 32 && c < 127;
+        // RFC 5802 § 7. 'printable': Contains all chars within 0x21 (33d) to 0x2b (43d) and 0x2d (45d) to 0x7e (126)
+        // aka. "Printable ASCII except ','". Since we already filter the ASCII ',' (0x2c, 44d) above, we only have to
+        // ensure that c is within [33, 126].
+        return c > 32 && c < 127;
     }
 
     /**