diff --git a/ChangeLog b/ChangeLog
index b05b522d90..4bbf8f16fd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,11 @@ Security
      unless the RNG is broken, and could result in information disclosure or
      denial of service (application crash or extra resource consumption).
      Found by Auke Zeilstra and Peter Schwabe, using static analysis.
+   * To avoid a side channel vulnerability when parsing an RSA private key,
+     read all the CRT parameters from the DER structure rather than
+     reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
+     Brumley. Reported and fix contributed by Jack Lloyd.
+     ARMmbed/mbed-crypto#352
 
 Features
    * The new build option MBEDTLS_SHA512_NO_SHA384 allows building SHA-512
@@ -37,6 +42,8 @@ Bugfix
      Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
    * Fix some false-positive uninitialized variable warnings in X.509. Fix
      contributed by apple-ihack-geek in #2663.
+   * Fix a possible error code mangling in psa_mac_verify_finish() when
+     a cryptographic accelerator fails. ARMmbed/mbed-crypto#345
 
 = mbed TLS 2.20.0 branch released 2020-01-15