From fc5a09135f33b0b0b4700a2e3c0a69c50e2486bb Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Tue, 2 Feb 2016 11:38:27 -0500
Subject: [PATCH] changelog++

---
 CHANGELOG.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d210195b1..f70aac7d1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,10 +21,11 @@ DEPRECATIONS/BREAKING CHANGES:
    file, environment variables, and CLI flags. [GH-871]
  * `etcd` physical backend: `sync` functionality is now supported and turned on
    by default. This can be disabled. [GH-921]
- * `transit`: Attempting to encrypt a value with a key that does not yet exist
-   now results in an error, not creation of the key. The previous behavior can
-   be toggled on via the `allow_upsert` parameter to the new `transit/config`
-   endpoint. [GH-1011]
+ * `transit`: If a client attempts to encrypt a value with a key that does not
+   yet exist, what happens now depends on the capabilities set in the client's
+   ACL policies. If the client has `create` (or `create` and `update`)
+   capability, the key will upsert as in the past. If the client has `update`
+   capability, they will receive an error. [GH-1012]
  * `token-renew` CLI command: If the token given for renewal is the same as the
    client token, the `renew-self` endpoint will be used in the API. Given that
    the `default` policy (by default) allows all clients access to the