diff --git a/changes/bug17027-reject-private-bind-port b/changes/bug17027-reject-private-bind-port
new file mode 100644
index 0000000000000000000000000000000000000000..abc1431c9a7bb5ce10b4e225a7a003efadf52020
--- /dev/null
+++ b/changes/bug17027-reject-private-bind-port
@@ -0,0 +1,7 @@
+  o Minor bug fixes (security, exit policies):
+    - ExitPolicyRejectPrivate rejects more private addresses by default:
+      * the relay's outbound bind addresses (if configured), and
+      * the relay's configured port addresses (such as ORPort and DirPort).
+      Resolves ticket 17027. Patch by "teor".
+      Patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha,
+      and on 0.2.7.3-rc.