Add CHANGES and release note for GL #2354

diff --git a/CHANGES b/CHANGES
index 3e239d929c0db2781f0e25103ec43ecefa25531d..151bae286544e2a5299edd8b323789f9ceaab0cf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -41,6 +41,9 @@
                        BIND 9 version number, in an effort to tightly couple
                        internal libraries with a specific release. [GL #2387]
 
+5562.  [security]      Fix off-by-one bug in ISC SPNEGO implementation.
+                       (CVE-2020-8625) [GL #2354]
+
 5561.  [bug]           KASP incorrectly set signature validity to the value
                        of the DNSKEY signature validity. This is now fixed.
                        [GL #2383]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 0fd5d15845b6a4c92bf90cbb9f4de2245ed6662b..e201ccf4b235e84f2f767a17de85a4386c68bc70 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -14,7 +14,17 @@ Notes for BIND 9.16.12
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- When ``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` was
+  configured, a specially crafted GSS-TSIG query could cause a buffer
+  overflow in the ISC implementation of SPNEGO (a protocol enabling
+  negotiation of the security mechanism to use for GSSAPI
+  authentication). This flaw could be exploited to crash ``named``.
+  Theoretically, it also enabled remote code execution, but achieving
+  the latter is very difficult in real-world conditions.
+  (CVE-2020-8625)
+
+  This vulnerability was responsibly reported to us as ZDI-CAN-12302 by
+  Trend Micro Zero Day Initiative. [GL #2354]
 
 Known Issues
 ~~~~~~~~~~~~