diff --git a/sssd.changes b/sssd.changes
index 657ca3e..c2be64d 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -2,33 +2,38 @@
 Wed Mar 15 22:18:03 UTC 2017 - michael@stroeder.com
 
 - Update to new upstream release 1.15.2
-  * It is now possible to configure certain parameters of a trusted domain
-    in a configuration file sub-section.
-  * Several issues related to socket-activating the NSS service, especially
-    if SSSD was configured to use a non-privileged userm were fixed.
-    The NSS service now doesn't change the ownership of its log files to
-    avoid triggering a name-service lookup while the NSS service is not
-    running yet. Additionally, the NSS service is started before any other
-    service to make sure username resolution works and the other service
-    can resolve the SSSD user correctly.
-  * A new option "cache_first" allows the administrator to change the way
-    multiple domains are searched. When this option is enabled, SSSD will
-    first try to "pin" the requested name or ID to a domain by searching
-    the entries that are already cached and contact the domain that contains
-    the cached entry first. Previously, SSSD would check the cache and the
-    remote server for each domain. This option brings performance benefit
-    for setups that use multiple domains (even auto-discovered trusted
-    domains), especially for ID lookups that would previously iterate over
-    all domains. Please note that this option must be enabled with care as the
-    administrator must ensure that the ID space of domains does not overlap.
+  * It is now possible to configure certain parameters of a
+    trusted domain in a configuration file sub-section.
+  * Several issues related to socket-activating the NSS service,
+    especially if SSSD was configured to use a non-privileged
+    userm were fixed. The NSS service now does not change the
+    ownership of its log files to avoid triggering a name-service
+    lookup while the NSS service is not running yet.
+    Additionally, the NSS service is started before any other
+    service to make sure username resolution works and the other
+    service can resolve the SSSD user correctly.
+  * A new option "cache_first" allows the administrator to change
+    the way multiple domains are searched. When this option is
+    enabled, SSSD will first try to "pin" the requested name or
+    ID to a domain by searching the entries that are already
+    cached and contact the domain that contains the cached entry
+    first. Previously, SSSD would check the cache and the remote
+    server for each domain. This option brings performance
+    benefit for setups that use multiple domains (even
+    auto-discovered trusted domains), especially for ID lookups
+    that would previously iterate over all domains. Please note
+    that this option must be enabled with care as the
+    administrator must ensure that the ID space of domains does
+    not overlap.
   * The SSSD D-Bus interface gained two new methods:
-    "FindByNameAndCertificate" and "ListByCertificate". These methods
-    will be used primarily by IPA and
-    `mod_lookup_identity <https://github.com/adelton/mod_lookup_identity/>
-    to correctly match multple users who use the same certificate for Smart
-    Card login.
-  * A bug where SSSD did not properly sanitize a username with a newline
-    character in it was fixed.
+    "FindByNameAndCertificate" and "ListByCertificate". These
+    methods will be used primarily by IPA and
+    `mod_lookup_identity
+    <https://github.com/adelton/mod_lookup_identity/> to
+    correctly match multple users who use the same certificate
+    for Smart Card login.
+  * A bug where SSSD did not properly sanitize a username with a
+    newline character in it was fixed.
 
 -------------------------------------------------------------------
 Sat Mar 11 22:34:41 UTC 2017 - jengelh@inai.de