diff --git a/ChangeLog b/ChangeLog
index 9ae1a4142..7bed27854 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,7 +11,7 @@ Security
    * Wipe stack buffers in RSA private key operations
      (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
      Found by Laurent Simon.
-    Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
      potential Bleichenbacher/BERserk-style attack.
    * Remove support for X509 certificates signed with MD5.
      Issue raised by Harm Verhagen
@@ -36,6 +36,9 @@ Changes
    * Clarify ECDSA documentation and improve the sample code to avoid
      misunderstandings and potentially dangerous use of the API. Pointed out
      by Jean-Philippe Aumasson.
+   * Add new config.h flag POLARSSL_X509_MIN_VERIFY_MD_ALG to set the minimum
+     hash accepted when verifying certificate chains. Defaults to SHA1, which
+     means SHA1 is accepted but MD5 and below are rejected.
 
 = mbed TLS 1.3.19 branch released 2017-03-08