CHANGES, notes

(cherry picked from commit f0eefb06d488cc99e8b4a4b7238e4a556afb7586)

diff --git a/CHANGES b/CHANGES
index 74f7162430ac4f5508d7f2659b25cc8577e63540..3f9e8ec0680ef4bf77172d87c503791f5b7201ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -86,6 +86,11 @@
 5121.  [contrib]       dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
                        matching zone names. [GL !1299]
 
+5118.  [security]      Named could crash if it is managing a key with
+                       `managed-keys` and the authoritative zone is rolling
+                       the key to an unsupported algorithm. (CVE-2018-5745)
+                       [GL #780]
+
 5115.  [bug]           Allow unsupported algorithms in zone when not used for
                        signing with dnssec-signzone. [GL #783]
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 5f810645e0c8344e5e4f1258a9594868f1f935b8..6b89fce96f8fb21055a2737c21edde224112f093 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -88,6 +88,14 @@
          for records in the zone. [GL #771]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         <command>named</command> could crash if it managed a DNSSEC
+         security root with <command>managed-keys</command> and the
+         authoritative zone rolled the key to an algorithm not supported
+         by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>