Fix security hole.
diff --git a/CHANGES b/CHANGES
index 82b190b..2a00607 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,16 @@
Changes between 0.9.1c and 0.9.2
+ *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
+ doesn't work when the session is reused. Coming soon!
+ [Ben Laurie]
+
+ *) Fix a security hole, that allows sessions to be reused in the wrong
+ context thus bypassing client cert protection! All software that uses
+ client certs and session caches in multiple contexts NEEDS PATCHING to
+ allow session reuse! A fuller solution is in the works.
+ [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
+
*) Some more source tree cleanups (removed obsolete files
crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
permission on "config" script to be executable) and a fix for the INSTALL
