From 6d61e9751bff93d996f679114e7b3a8f628d6bc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Fri, 9 Jun 2017 14:52:09 +0200
Subject: [PATCH] Improve ChangeLog description of X509 MD5 changes

---
 ChangeLog | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 9ae1a4142..7bed27854 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,7 +11,7 @@ Security
    * Wipe stack buffers in RSA private key operations
      (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
      Found by Laurent Simon.
-    Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
      potential Bleichenbacher/BERserk-style attack.
    * Remove support for X509 certificates signed with MD5.
      Issue raised by Harm Verhagen
@@ -36,6 +36,9 @@ Changes
    * Clarify ECDSA documentation and improve the sample code to avoid
      misunderstandings and potentially dangerous use of the API. Pointed out
      by Jean-Philippe Aumasson.
+   * Add new config.h flag POLARSSL_X509_MIN_VERIFY_MD_ALG to set the minimum
+     hash accepted when verifying certificate chains. Defaults to SHA1, which
+     means SHA1 is accepted but MD5 and below are rejected.
 
 = mbed TLS 1.3.19 branch released 2017-03-08