Prevent SLOTH attacks
diff --git a/ChangeLog b/ChangeLog
index b604ed4..f24186b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@
 
 = mbed TLS 2.x.x branch released xxxx-xx-xx
 
+Security
+   * Removed MD5 from the allowed hash algorithms for CertificateRequest and
+     CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
+
 Bugfix
    * Fix the redefinition of macro ssl_set_bio to an undefined symbol
      mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.