Add CHANGES and release note for GL #2037

diff --git a/CHANGES b/CHANGES
index b4cc904652cc175dcfcb2450d41c40c1437e0ad8..3bc5cf42d39e20f2d0e82353ce7bbf6976cdfeef 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,12 @@
                        system, but the Duplicate Address Detection (DAD)
                        mechanism had not yet finished. [GL #2038]
 
+5480.  [security]      When BIND 9 was compiled with native PKCS#11 support, it
+                       was possible to trigger an assertion failure in code
+                       determining the number of bits in the PKCS#11 RSA public
+                       key with a specially crafted packet. (CVE-2020-8623)
+                       [GL #2037]
+
 5479.  [security]      named could crash in certain query resolution scenarios
                        where QNAME minimization and forwarding were both
                        enabled. (CVE-2020-8621) [GL #1997]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 184a3b79fac4d96e1a4278e3fa2bdb500b2fa2e0..f93d125abfb7af1f59083d92665836af1c359eec 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -36,6 +36,14 @@ Security Fixes
   ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
   of Oracle for bringing this vulnerability to our attention. [GL #2028]
 
+- When BIND 9 was compiled with native PKCS#11 support, it was possible
+  to trigger an assertion failure in code determining the number of bits
+  in the PKCS#11 RSA public key with a specially crafted packet. This
+  was disclosed in CVE-2020-8623.
+
+  ISC would like to thank Lyu Chiy for bringing this vulnerability to
+  our attention. [GL #2037]
+
 Known Issues
 ~~~~~~~~~~~~