diff --git a/CHANGES b/CHANGES
index d1f4aeba8e..4874ce7a4b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,11 @@
 5821.	[bug]		Fix query context management issues in the TCP part
 			of dig. [GL #3184]
 
+5817.	[security]	The rules for acceptance of records into the cache
+			have been tightened to prevent the possibility of
+			poisoning if forwarders send records outside
+			the configured bailiwick. (CVE-2021-25220) [GL #2950]
+
 5816.	[bug]		Make BIND compile with LibreSSL 3.5.0, as it was using
 			not very accurate pre-processor checks for using shims.
 			[GL #3172]