Add CHANGES and release notes for [GL #2787]

diff --git a/CHANGES b/CHANGES
index 5a036e684b36144379ac76a95c54877edd30092c..fae091bf04b9aff004ce7938a385b324abb24b9b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5663.  [bug]           Properly handle non-zero OPCODEs when receiving the
+                       queries over DoT and DoH channels. [GL #2787]
+
 5662.  [bug]           Views with recursion disabled are now configured with a
                        default cache size of 2 MB, unless "max-cache-size" is
                        explicitly set. This prevents cache RBT hash tables from

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 6e46da2b39694954a71b1b5c0dae6264514aa455..ced974c1f034a94088b1eefdf2398a38dcaf1760 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -14,7 +14,11 @@ Notes for BIND 9.17.15
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- Sending non-zero opcode via DoT or DoH channels would trigger an assertion
+  failure in ``named``. This has been fixed.
+
+  ISC would like to thank Ville Heikkila of Synopsys Cybersecurity Research
+  Center for responsibly disclosing the vulnerability to us. :gl:`#2787`
 
 Known Issues
 ~~~~~~~~~~~~
@@ -58,4 +62,4 @@ Bug Fixes
 
 - A deadlock at startup was introduced when fixing :gl:`#1875` because when
   locking key files for reading and writing, "in-view" logic was not taken into
-  account. This has been fixed. [GL #2783]
+  account. This has been fixed. :gl:`#2783`