diff --git a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt
index 1ab864092..a1fded3aa 100644
--- a/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt
+++ b/ChangeLog.d/add-new-pkcs5-pbe2-ext-fun.txt
@@ -1,6 +1,6 @@
-Features
-   * Add new mbedtls_pkcs5_pbes2_ext function a more secure replacement to
-     mbedtls_pkcs5_pbes2 function because it reports the length of the output
-     bytes written to the output buffer and it requires a parameter containing
-     the output buffer size and validate if the output buffer is big enough
-     for output including padding.
+Security
+   * Developers using mbedtls_pkcs5_pbes2() should review the size of the output
+     buffer passed to this function, and note that the output after decryption
+     may include CBC padding. Consider moving to the new function
+     mbedtls_pkcs5_pbes2_ext() which checks for overflow of the output buffer
+     and reports the actual length of the output.