diff --git a/debian/changelog b/debian/changelog
index 48798076..c41113f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,11 @@ shadow (1:4.13+dfsg1-2) UNRELEASED; urgency=medium
   * debian/login.pam: Drop reference to Debian Etch (Closes: #1040064)
   * debian/NEWS: Fix false claim about PREVENT_NO_AUTH affecting authentication.
     Also drop setting PREVENT_NO_AUTH in shipped login.defs. (Closes: #1041547)
+  * Cherry-pick upstream patch to fix gpasswd passwd leak
+    (CVE-2023-4641) (Closes: #1051062)
+  * Cherry-pick upstream patch to fix chfn vulnerability allowing injection of
+    control characters into some /etc/passwd fields.
+    (CVE-2023-29383) (Closes: #1034482)
 
   [ Gioele Barabucci ]
   * Support <nodoc> build profile
@@ -12,7 +17,8 @@ shadow (1:4.13+dfsg1-2) UNRELEASED; urgency=medium
     when the `<nodoc>` build profile is active, as long as `./configure` is
     called with `--disable-man`. (Closes: #1051827)
 
- -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 17:40:29 +0200
+
+ -- Balint Reczey <balint@balintreczey.hu>  Mon, 25 Sep 2023 18:17:12 +0200
 
 shadow (1:4.13+dfsg1-1) unstable; urgency=medium