diff --git a/ChangeLog b/ChangeLog
index 6e7964447e..d127877c1b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,10 @@ Bugfix
    * Fix a bug in the record decryption routine ssl_decrypt_buf()
      which lead to accepting properly authenticated but improperly
      padded records in case of CBC ciphersuites using Encrypt-then-MAC.
+   * Fix wrong order of freeing in programs/ssl/ssl_server2 example
+     application leading to a memory leak in case both
+     MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
+     Fixes #2069.
 
 Changes
    * "make apidoc" now generates the documentation for the current
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 5e6a705e1a..3951b835f0 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2495,6 +2495,8 @@ exit:
     mbedtls_ssl_cookie_free( &cookie_ctx );
 #endif
 
+    mbedtls_free( buf );
+
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 #if defined(MBEDTLS_MEMORY_DEBUG)
     mbedtls_memory_buffer_alloc_status();
@@ -2502,7 +2504,6 @@ exit:
     mbedtls_memory_buffer_alloc_free();
 #endif
 
-    mbedtls_free( buf );
     mbedtls_printf( " done.\n" );
 
 #if defined(_WIN32)