diff --git a/expat/Changes b/expat/Changes
index 623327ef..11cc24bf 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -2,6 +2,11 @@ Release ??????????
         Security fixes:
                   CVE-2016-9063 -- Detect integer overflow
              #25  More integer overflow detection (function poolGrow)
+                  Use high quality entropy for hash initialization:
+                    * arc4random_buf on BSD, systems with libbsd, CloudABI
+                    * RtlGenRandom on Windows XP / Server 2003 and later
+                    * getrandom on glic 2.25+ Linux 3.17+
+                  In a way, that's still part of CVE-2016-5300.
 
         Bug fixes:
             #539  Fix regression from fix to CVE-2016-0718 cutting off