diff --git a/ChangeLog b/ChangeLog
index aad1ec2c7..52935c305 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 2.1.3 released 2015-10-xx
 
+Security
+   * The X509 max_pathlen constraint was not enforced on intermediate
+     certificates. Found by Nicholas Wilson, fix and tests provided by
+     Janos Follath. #280 and #319
+
 Bugfix
+   * Self-signed certificates were not excluded from pathlen counting,
+     resulting in some valid X.509 being incorrectly rejected. Found and fix
+     provided by Janos Follath. #319
    * Fix build error with configurations where ECDHE-PSK is the only key
      exchange. Found and fix provided by Chris Hammond. #270
    * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or