diff --git a/ChangeLog b/ChangeLog
index 26869a0f1..f2e2e046a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,11 @@ Bugfix
      for the parameter.
    * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
      sni entry parameter. Reported by inestlerode in #560.
+   * Fix missing bounds checks in X.509 parsing functions that could
+     lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
+   * Fix multiple X.509 functions previously returning ASN.1 low-level error
+     codes to always wrap these codes into X.509 high level error codes before
+     returning. Fixes #2431.
 
 Changes
    * Return from various debugging routines immediately if the
@@ -87,11 +92,6 @@ Bugfix
      extensions in CSRs and CRTs that caused these bitstrings to not be encoded
      correctly as trailing zeroes were not accounted for as unused bits in the
      leading content octet. Fixes #1610.
-   * Fix missing bounds checks in X.509 parsing functions that could
-     lead to successful parsing of ill-formed X.509 CRTs. Fixes #2437.
-   * Fix multiple X.509 functions previously returning ASN.1 low-level error
-     codes to always wrap these codes into X.509 high level error codes before
-     returning. Fixes #2431.
 
 Changes
    * Include configuration file in all header files that use configuration,