diff --git a/ChangeLog b/ChangeLog
index 8f7843dc6..4ef3f1bf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,11 @@ Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records
      as recommended in RFC 6347 Section 4.1.2.7.
 
+Security
+   * Change default choice of DHE parameters from untrustworthy RFC 5114
+     to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+     manner.
+
 = mbed TLS 2.1.9 branch released 2017-08-10
 
 Security