Clarify attack conditions in the ChangeLog.

Referring to the previous entry could imply that the current one was limited
to SHA-384 too, which it isn't.

ChangeLog

@@ -19,10 +19,13 @@ Security
    * Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
      1.2, that allowed a local attacker, able to execute code on the local
      machine as well as manipulate network packets, to partially recover the
-     plaintext of messages under some conditions (see previous entry) by using
+     plaintext of messages under some conditions by using a cache attack
-     a cache attack targetting an internal MD/SHA buffer. Connections using
+     targetting an internal MD/SHA buffer. With TLS or if
-     GCM or CCM instead of CBC or using Encrypt-then-Mac (RFC 7366) were not
+     mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
-     affected. Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
+     the same secret (for example a HTTP Cookie) has been repeatedly sent over
+     connections manipulated by the attacker. Connections using GCM or CCM
+     instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
+     Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
    * Add a counter-measure against a vulnerability in TLS ciphersuites based
      on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
      execute code on the local machine as well as manipulate network packets,