diff --git a/age/CHANGELOG.md b/age/CHANGELOG.md
index e7059f3c..b22ca728 100644
--- a/age/CHANGELOG.md
+++ b/age/CHANGELOG.md
@@ -47,6 +47,11 @@ to 1.0.0 are beta releases.
 - Support for encrypted OpenSSH keys exported from 1Password.
 
 ## [0.9.0] - 2022-10-27
+### Security
+- `age::ssh::Recipient::SshRsa` now has a maximum modulus size of 4096 bits, to
+  prevent a Denial of Service (DoS) condition when encrypting to untrusted
+  public keys.
+
 ### Added
 - `age::armor::ArmoredReadError`, used to wrap armor-specific read errors inside
   `std::io::Error`.
@@ -55,6 +60,7 @@ to 1.0.0 are beta releases.
 
 ### Changed
 - MSRV is now 1.59.0.
+- Migrated to `rsa 0.7`.
 - `age::Encryptor::with_recipients` now returns `Option<Encryptor>`, with `None`
   returned if the provided list of recipients is empty (to prevent files being
   encrypted to no recipients). The `recipients` argument is also now