Add CHANGES and release note for GL #2055

diff --git a/CHANGES b/CHANGES
index 3bc5cf42d39e20f2d0e82353ce7bbf6976cdfeef..6e182ee0ca83a46b834c7b845e0f6d8b9f69aac9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,13 @@
                        system, but the Duplicate Address Detection (DAD)
                        mechanism had not yet finished. [GL #2038]
 
+5481.  [security]      "update-policy" rules of type "subdomain" were
+                       incorrectly treated as "zonesub" rules, which allowed
+                       keys used in "subdomain" rules to update names outside
+                       of the specified subdomains. The problem was fixed by
+                       making sure "subdomain" rules are again processed as
+                       described in the ARM. (CVE-2020-8624) [GL #2055]
+
 5480.  [security]      When BIND 9 was compiled with native PKCS#11 support, it
                        was possible to trigger an assertion failure in code
                        determining the number of bits in the PKCS#11 RSA public

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index f93d125abfb7af1f59083d92665836af1c359eec..96791435a4c1e56bc04a81beeef2a454a0842d33 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -44,6 +44,15 @@ Security Fixes
   ISC would like to thank Lyu Chiy for bringing this vulnerability to
   our attention. [GL #2037]
 
+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+  as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+  to update names outside of the specified subdomains. The problem was
+  fixed by making sure ``subdomain`` rules are again processed as
+  described in the ARM. This was disclosed in CVE-2020-8624.
+
+  ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+  vulnerability to our attention. [GL #2055]
+
 Known Issues
 ~~~~~~~~~~~~