Add CHANGES and release note for GL #2055

diff --git a/CHANGES b/CHANGES
index 27cf14612fb95d417e8ed5a15855fb0c2af316cb..8284bdbd74fbb5f4f6747c0eb5f113afc04b5105 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,7 +12,12 @@
                        system, but the Duplicate Address Detection (DAD)
                        mechanism had not yet finished. [GL #2038]
 
-5481.  [placeholder]
+5481.  [security]      "update-policy" rules of type "subdomain" were
+                       incorrectly treated as "zonesub" rules, which allowed
+                       keys used in "subdomain" rules to update names outside
+                       of the specified subdomains. The problem was fixed by
+                       making sure "subdomain" rules are again processed as
+                       described in the ARM. (CVE-2020-8624) [GL #2055]
 
 5480.  [security]      When BIND 9 was compiled with native PKCS#11 support, it
                        was possible to trigger an assertion failure in code

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 175a15b3620a848b024b15fbd961a4202058f393..f7b490b80eeb5a8efc4b88a3dbdc622a6275354c 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -44,6 +44,15 @@ Security Fixes
   ISC would like to thank Lyu Chiy for bringing this vulnerability to
   our attention. [GL #2037]
 
+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+  as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+  to update names outside of the specified subdomains. The problem was
+  fixed by making sure ``subdomain`` rules are again processed as
+  described in the ARM. This was disclosed in CVE-2020-8624.
+
+  ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+  vulnerability to our attention. [GL #2055]
+
 Known Issues
 ~~~~~~~~~~~~