From ee98109af508b14fc79051b263e641a64864bf43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Mon, 26 Jun 2017 11:30:01 +0200
Subject: [PATCH] Add ChangeLog entry for the security issue

---
 ChangeLog | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index d35457b96..038858cef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,14 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 2.y.z released YYYY-MM-DD
 
+Security
+   * Fix authentication bypass in SSL/TLS: when auth_mode is set to optional,
+   mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
+   X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
+   (default: 8) intermediates, even when it was not trusted. Could be
+   trigerred remotely on both sides. (With auth_mode set to required
+   (default), the handshake was correctly aborted.)
+
 Changes
    * Certificate verification functions now set flags to -1 in case the full
      chain was not verified due to an internal error (including in the verify