diff --git a/ChangeLog.d/add_mbedtls_setbuf.txt b/ChangeLog.d/add_mbedtls_setbuf.txt
new file mode 100644
index 0000000000..6152d60dfc
--- /dev/null
+++ b/ChangeLog.d/add_mbedtls_setbuf.txt
@@ -0,0 +1,10 @@
+Security
+   * Add the platform function mbedtls_setbuf() to allow buffering to be
+     disabled on stdio files, to stop secrets loaded from said files being
+     potentially left in memory after file operations. Reported by
+     Glenn Strauss.
+Requirement changes
+   * The library will no longer compile out of the box on a platform without
+     setbuf() if MBEDTLS_FS_IO is enabled. If your platform does not have
+     setbuf(), you can configure an alternative function by enabling
+     MBEDTLS_PLATFORM_SETBUF_ALT or MBEDTLS_PLATFORM_SETBUF_MACRO.