diff --git a/ChangeLog b/ChangeLog
index 43dfb9977..9d51378d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,15 +22,11 @@ Security
    * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
      modules.
 
-API Changes
-   * The following functions in the random generator modules have been
-     deprecated and replaced as shown below. The new functions change
-     the return type from void to int to allow returning error codes when
-     using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
-     primitive. Fixes #1798.
-     mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
-     mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
-   * Extend ECDH interface to enable alternative implementations.
+Features
+   * Add new config.h flag MBEDTLS_CHECK_PARAMS that enables validation of
+     more of the parameters by public API functions (see its documentation for
+     details). Disabled by default - requires users to provide an
+     implementation of the callback function or macro.
 
 New deprecations
    * Deprecate mbedtls_ctr_drbg_update and mbedtls_hmac_drbg_update
@@ -52,6 +48,16 @@ Bugfix
    * Fix double initialization of ECC hardware that made some accelerators
      hang.
 
+API Changes
+   * The following functions in the random generator modules have been
+     deprecated and replaced as shown below. The new functions change
+     the return type from void to int to allow returning error codes when
+     using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest
+     primitive. Fixes #1798.
+     mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret()
+     mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
+   * Extend ECDH interface to enable alternative implementations.
+
 = mbed TLS 2.14.0 branch released 2018-11-19
 
 Security