diff --git a/ChangeLog.d/issue3819.txt b/ChangeLog.d/issue3819.txt
index 58e55c1f1..e41520f46 100644
--- a/ChangeLog.d/issue3819.txt
+++ b/ChangeLog.d/issue3819.txt
@@ -1,5 +1,10 @@
 Security
-   * Fix a security reduction error that causes all bits of the nonce
-     to be zero in mbedtls_ctr_drbg_reseed_internal.  This prevents
-     the security strength from reaching the level required by NIST.
+   * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
+     nonce from entropy. Applications were affected if they called
+     mbedtls_ctr_drbg_set_nonce_len(), if they called
+     mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
+     length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
+     In such cases, a random nonce was necessary to achieve the advertised
+     security strength, but the code incorrectly used a constant instead of
+     entropy from the nonce.
      Found by John Stroebel in #3819 and fixed in #3973.