From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 20 Dec 2018 09:22:02 +0000 (+0100)
Subject: CHANGES, notes
X-Git-Tag: v9.12.4rc1~5^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89536c5024a8c9cd39f742f475321e6ee10d4a21;p=thirdparty%2Fbind9.git

CHANGES, notes

(cherry picked from commit f0eefb06d488cc99e8b4a4b7238e4a556afb7586)
---

diff --git a/CHANGES b/CHANGES
index 74f7162430a..3f9e8ec0680 100644
--- a/CHANGES
+++ b/CHANGES
@@ -86,6 +86,11 @@
 5121.	[contrib]	dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
 			matching zone names. [GL !1299]
 
+5118.	[security]	Named could crash if it is managing a key with
+			`managed-keys` and the authoritative zone is rolling
+			the key to an unsupported algorithm. (CVE-2018-5745)
+			[GL #780]
+
 5115.	[bug]		Allow unsupported algorithms in zone when not used for
 			signing with dnssec-signzone. [GL #783]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 5f810645e0c..6b89fce96f8 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -88,6 +88,14 @@
 	  for records in the zone. [GL #771]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  <command>named</command> could crash if it managed a DNSSEC
+	  security root with <command>managed-keys</command> and the
+	  authoritative zone rolled the key to an algorithm not supported
+	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>