diff --git a/CHANGES b/CHANGES
index fccec231a6..66cba77f0a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -39,7 +39,8 @@
 3693.	[security]	memcpy was incorrectly called with overlapping
 			ranges resulting in malformed names being generated
 			on some platforms.  This could cause INSIST failures
-			when serving NSEC3 signed zones.  [RT #35120]
+			when serving NSEC3 signed zones (CVE-2014-0591).
+			[RT #35120]
 
 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 			was no data at the node. [RT #35080]
@@ -157,8 +158,10 @@
 3657.	[port]		Some readline clones don't accept NULL pointers when
 			calling add_history. [RT #34842]
 
-3656.	[bug]		Treat an all zero netmask as invalid when generating
-			the localnets acl. [RT #34687]
+3656.	[security]	Treat an all zero netmask as invalid when generating
+			the localnets acl. (The prior behavior could
+			allow unexpected matches when using some versions
+			of Winsock: CVE-2013-6320.) [RT #34687]
 
 3655.	[cleanup]	Simplify TCP message processing when requesting a
 			zone transfer.  [RT #34825]