From: Mark Andrews Date: Wed, 29 Jul 2020 13:36:03 +0000 (+1000) Subject: Add CHANGES and release note for GL #2055 X-Git-Tag: v9.17.4~6^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4fb94906fae19692722b51f6a0ea8d7115cec76f;p=thirdparty%2Fbind9.git Add CHANGES and release note for GL #2055 --- diff --git a/CHANGES b/CHANGES index 27cf14612fb..8284bdbd74f 100644 --- a/CHANGES +++ b/CHANGES @@ -12,7 +12,12 @@ system, but the Duplicate Address Detection (DAD) mechanism had not yet finished. [GL #2038] -5481. [placeholder] +5481. [security] "update-policy" rules of type "subdomain" were + incorrectly treated as "zonesub" rules, which allowed + keys used in "subdomain" rules to update names outside + of the specified subdomains. The problem was fixed by + making sure "subdomain" rules are again processed as + described in the ARM. (CVE-2020-8624) [GL #2055] 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 175a15b3620..f7b490b80ee 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -44,6 +44,15 @@ Security Fixes ISC would like to thank Lyu Chiy for bringing this vulnerability to our attention. [GL #2037] +- ``update-policy`` rules of type ``subdomain`` were incorrectly treated + as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules + to update names outside of the specified subdomains. The problem was + fixed by making sure ``subdomain`` rules are again processed as + described in the ARM. This was disclosed in CVE-2020-8624. + + ISC would like to thank Joop Boonen of credativ GmbH for bringing this + vulnerability to our attention. [GL #2055] + Known Issues ~~~~~~~~~~~~