diff --git a/ChangeLog.d/fix-asn1-store-named-data.txt b/ChangeLog.d/fix-asn1-store-named-data.txt
new file mode 100644
index 0000000000..7a040bd43b
--- /dev/null
+++ b/ChangeLog.d/fix-asn1-store-named-data.txt
@@ -0,0 +1,8 @@
+Security
+   * Fix a bug in tf-psa-crypto's mbedtls_asn1_store_named_data() where it
+     would sometimes leave an item in the output list in an inconsistent
+     state with val.p == NULL but val.len > 0. Affected functions used in X.509
+     would then dereference a NULL pointer. Applications that do not
+     call this function (directly, or indirectly through X.509 writing) are not
+     affected. Found by Linh Le and Ngan Nguyen from Calif.
+
diff --git a/ChangeLog.d/psa/psa-always-on.txt b/ChangeLog.d/psa/psa-always-on.txt
index 45f4d9b101..6607e9fe40 100644
--- a/ChangeLog.d/psa/psa-always-on.txt
+++ b/ChangeLog.d/psa/psa-always-on.txt
@@ -1,5 +1,5 @@
 Default behavior changes
-   * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem
+   * The X.509 and TLS modules now always use the PSA subsystem
      to perform cryptographic operations, with a few exceptions documented
      in docs/architecture/psa-migration/psa-limitations.md. This
      corresponds to the behavior of Mbed TLS 3.x when
@@ -8,3 +8,4 @@ Default behavior changes
    * psa_crypto_init() must be called before performing any cryptographic
      operation, including indirect requests such as parsing a key or
      certificate or starting a TLS handshake.
+