diff --git a/ChangeLog b/ChangeLog
index 0a857ba76..1d1306420 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+   * Fixed potential livelock during the parsing of a CRL in PEM format in
+     mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
+     characters after the footer could result in the execution of an infinite
+     loop. The issue can be triggered remotely. Found by Greg Zaverucha,
+     Microsoft.
+
 = mbed TLS 2.4.1 branch released 2016-12-13
 
 Changes
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 7b2b4733b..5b0adeffc 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -530,7 +530,7 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
 
             mbedtls_pem_free( &pem );
         }
-        else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        else if( is_pem )
         {
             mbedtls_pem_free( &pem );
             return( ret );