CHANGES, notes

(cherry picked from commit f0eefb06d488cc99e8b4a4b7238e4a556afb7586)

diff --git a/CHANGES b/CHANGES
index ee1fe25510d842d545f8fb40c93d3e8a2800383a..51f35ba18e2cf52486e95c3f28f1c79235620266 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -79,6 +79,11 @@
 5121.  [contrib]       dlz_stub_driver.c fails to return ISC_R_NOTFOUND on none
                        matching zone names. [GL !1299]
 
+5118.  [security]      Named could crash if it is managing a key with
+                       `managed-keys` and the authoritative zone is rolling
+                       the key to an unsupported algorithm. (CVE-2018-5745)
+                       [GL #780]
+
 5112.  [bug]           Named/named-checkconf could dump core if there was
                        a missing masters clause and a bad notify clause.
                        [GL #779]

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index b4efd3792cad2881683417682b177f18d5ad8cdf..b1ee51bb7cec35dfd8982f691c04bd23f122879d 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -106,6 +106,14 @@
          for records in the zone. [GL #771]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         <command>named</command> could crash if it managed a DNSSEC
+         security root with <command>managed-keys</command> and the
+         authoritative zone rolled the key to an algorithm not supported
+         by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>