Add CHANGES and release note for GL #1996

diff --git a/CHANGES b/CHANGES
index 15ed661dac1085488fe5403bf12ca08d2b33a586..db4f998f01e35e867491bbb530dc7fa83a053c8a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,10 @@
                        system, but the Duplicate Address Detection (DAD)
                        mechanism had not yet finished. [GL #2038]
 
+5478.  [security]      It was possible to trigger an assertion failure by
+                       sending a specially crafted large TCP DNS message.
+                       (CVE-2020-8620) [GL #1996]
+
 5477.  [bug]           The idle timeout for connected TCP sockets is now
                        derived from the client query processing timeout
                        configured for a resolver. [GL #2024]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index d316b8b9966bc6240fd7c69d16e6cd03bbbb4d2d..496ab11af8bf6034de9e501c73fa227f0cc24917 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -14,7 +14,11 @@ Notes for BIND 9.16.6
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- It was possible to trigger an assertion failure by sending a specially
+  crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+
+  ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
+  bringing this vulnerability to our attention. [GL #1996]
 
 Known Issues
 ~~~~~~~~~~~~