Fix section order in the ChangeLog

ChangeLog

@@ -2,6 +2,16 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS x.x.x branch released xxxx-xx-xx
 
+Default behavior changes
+   * The truncated HMAC extension now conforms to RFC 6066. This means
+     that when both sides of a TLS connection negotiate the truncated
+     HMAC extension, Mbed TLS can now interoperate with other
+     compliant implementations, but this breaks interoperability with
+     prior versions of Mbed TLS. To restore the old behavior, enable
+     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
+     config.h. Found by Andreas Walz (ivESK, Offenburg University of
+     Applied Sciences).
+
 Security
    * Fix implementation of the truncated HMAC extension. The previous
      implementation allowed an offline 2^80 brute force attack on the
@@ -40,16 +50,6 @@ Changes
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
 
-Default behavior changes
-   * The truncated HMAC extension now conforms to RFC 6066. This means
-     that when both sides of a TLS connection negotiate the truncated
-     HMAC extension, Mbed TLS can now interoperate with other
-     compliant implementations, but this breaks interoperability with
-     prior versions of Mbed TLS. To restore the old behavior, enable
-     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
-     config.h. Found by Andreas Walz (ivESK, Offenburg University of
-     Applied Sciences).
-
 = mbed TLS 2.7.0 branch released 2018-02-03
 
 Security