Merge remote-tracking branch 'upstream-restricted/pr/556' into mbedtls-2.16-restricted
diff --git a/ChangeLog b/ChangeLog
index 5e89480..2a87665 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,16 @@
    * Fix a missing error detection in ECJPAKE. This could have caused a
      predictable shared secret if a hardware accelerator failed and the other
      side of the key exchange had a similar bug.
+   * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
+     implement blinding. Because of this for the same key and message the same
+     blinding value was generated. This reduced the effectiveness of the
+     countermeasure and leaked information about the private key through side
+     channels. Reported by Jack Lloyd.
+
+API Changes
+   * The new function mbedtls_ecdsa_sign_det_ext() is similar to
+     mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
+     purpose of blinding.
 
 Bugfix
    * Fix to allow building test suites with any warning that detects unused