Fix missing bound check
diff --git a/ChangeLog b/ChangeLog
index 89c87e0..8370738 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
    * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
    * Add support for Encrypt-then-MAC (RFC 7366)
 
+Bugfix
+   * Stack buffer overflow if ctr_drbg_update() is called with too large
+     add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
+
 = PolarSSL 1.3.9 released 2014-10-20
 Security
    * Lowest common hash was selected from signature_algorithms extension in