Add CHANGES and release note for GL #2037

diff --git a/CHANGES b/CHANGES
index cabd1eac716eb299ec8efd5a34fabb2e9737872d..27cf14612fb95d417e8ed5a15855fb0c2af316cb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -14,7 +14,11 @@
 
 5481.  [placeholder]
 
-5480.  [placeholder]
+5480.  [security]      When BIND 9 was compiled with native PKCS#11 support, it
+                       was possible to trigger an assertion failure in code
+                       determining the number of bits in the PKCS#11 RSA public
+                       key with a specially crafted packet. (CVE-2020-8623)
+                       [GL #2037]
 
 5479.  [security]      named could crash in certain query resolution scenarios
                        where QNAME minimization and forwarding were both

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index f5fdc44bee3272a14cb85dddb0b539d8c360b484..175a15b3620a848b024b15fbd961a4202058f393 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -36,6 +36,14 @@ Security Fixes
   ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
   of Oracle for bringing this vulnerability to our attention. [GL #2028]
 
+- When BIND 9 was compiled with native PKCS#11 support, it was possible
+  to trigger an assertion failure in code determining the number of bits
+  in the PKCS#11 RSA public key with a specially crafted packet. This
+  was disclosed in CVE-2020-8623.
+
+  ISC would like to thank Lyu Chiy for bringing this vulnerability to
+  our attention. [GL #2037]
+
 Known Issues
 ~~~~~~~~~~~~