Changelog: Add entry for prime validation fix
diff --git a/ChangeLog b/ChangeLog
index fd625a4..edd5711 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,24 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
+Security
+ * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
+ previous settings for the number of rounds made it practical for an
+ adversary to construct non-primes that would be erroneously accepted as
+ primes with high probability. This does not have an impact on the
+ security of TLS, but can matter in other contexts with potentially
+ adversarially-chosen numbers that should be prime and can be validated.
+ For example, the number of rounds was enough to securely generate RSA key
+ pairs or Diffie-Hellman parameters, but was insufficient to validate
+ Diffie-Hellman parameters properly.
+ See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
+ Kenneth G. Paterson and Juraj Somorovsky.
+
+New deprecations
+ * Deprecate the function mbedtls_mpi_is_prime() in favor of
+ mbedtls_mpi_is_prime_ext() which allows specifying the number of
+ Miller-Rabin rounds.
+
Changes
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
use it to reduce error probability in RSA key generation to levels mandated