From 1047838e84c8ec99c566c9a52336d9dbddd4e333 Mon Sep 17 00:00:00 2001
From: Marcus Bointon <marcus@synchromedia.co.uk>
Date: Tue, 15 Jun 2021 20:03:50 +0200
Subject: [PATCH] Changelog

---
 changelog.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 5643540d..b0a6c2e3 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,7 @@
 # PHPMailer Change Log
 
-* **SECURITY** Fixes CVE-2021-3603 that may permit untrusted code to be run from an address validator, see SECURITY.md for details
+* **SECURITY** Fixes CVE-2021-3603 that may permit untrusted code to be run from an address validator, see [SECURITY.md](SECURITY.md) for details
+* The fix for this issue includes a minor BC break: callables injected into `validateAddress`, or indirectly through the `$validator` class property, may no longer be simple strings. If you want to inject your own validator, provide a closure instead of a function name.
 
 ## Version 6.4.1 (April 29th, 2021)
 * **SECURITY** Fixes CVE-2020-36326, a regression of CVE-2018-19296 object injection introduced in 6.1.8, see SECURITY.md for details