Add CHANGES and release note for GL #1997

diff --git a/CHANGES b/CHANGES
index db4f998f01e35e867491bbb530dc7fa83a053c8a..80a180c9e434b959cf6711102c394401f4cb485e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,10 @@
                        system, but the Duplicate Address Detection (DAD)
                        mechanism had not yet finished. [GL #2038]
 
+5479.  [security]      named could crash in certain query resolution scenarios
+                       where QNAME minimization and forwarding were both
+                       enabled. (CVE-2020-8621) [GL #1997]
+
 5478.  [security]      It was possible to trigger an assertion failure by
                        sending a specially crafted large TCP DNS message.
                        (CVE-2020-8620) [GL #1996]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 496ab11af8bf6034de9e501c73fa227f0cc24917..8869aff882cde70cd8a905a2198992b9b4987880 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,6 +20,15 @@ Security Fixes
   ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
   bringing this vulnerability to our attention. [GL #1996]
 
+- ``named`` could crash after failing an assertion check in certain
+  query resolution scenarios where QNAME minimization and forwarding
+  were both enabled. To prevent such crashes, QNAME minimization is now
+  always disabled for a given query resolution process, if forwarders
+  are used at any point. This was disclosed in CVE-2020-8621.
+
+  ISC would like to thank Joseph Gullo for bringing this vulnerability
+  to our attention. [GL #1997]
+
 Known Issues
 ~~~~~~~~~~~~