diff --git a/ChangeLog b/ChangeLog
index aecf4a5c2e..6bbd3f6a20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,10 @@ Bugfix
    * Fix a bug in the record decryption routine ssl_decrypt_buf()
      which lead to accepting properly authenticated but improperly
      padded records in case of CBC ciphersuites using Encrypt-then-MAC.
+   * Fix wrong order of freeing in programs/ssl/ssl_server2 example
+     application leading to a memory leak in case both
+     MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
+     Fixes #2069.
 
 Changes
    * Add tests for session resumption in DTLS.
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a770f1b899..df1fa1825e 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2538,6 +2538,8 @@ exit:
     mbedtls_ssl_cookie_free( &cookie_ctx );
 #endif
 
+    mbedtls_free( buf );
+
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 #if defined(MBEDTLS_MEMORY_DEBUG)
     mbedtls_memory_buffer_alloc_status();
@@ -2545,7 +2547,6 @@ exit:
     mbedtls_memory_buffer_alloc_free();
 #endif
 
-    mbedtls_free( buf );
     mbedtls_printf( " done.\n" );
 
 #if defined(_WIN32)