[v9_6] add CVE, correct change 3388

(cherry picked from commit 3806133da574f4570db3005473e0d56b746cc6ea)

diff --git a/CHANGES b/CHANGES
index 964fec30e8b11bc3e71087456ecf6055aa5d0f15..9abbf637a9c1388f4fb48025c3ef9ab14f38f324 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -145,7 +145,12 @@
 
 3389.  [bug]           Always return NOERROR (not 0) in TSIG. [RT #31275]
 
-3388.  [bug]           Fixed several Coverity warnings. [RT #30996]
+3388.  [bug]           Fixed several Coverity warnings.
+                       Note: This change includes a fix for a bug that
+                       was subsequently determined to be an exploitable
+                       security vulnerability, CVE-2012-5688: named could
+                       die on specific queries with dns64 enabled.
+                       [RT #30996]
 
 3386.  [bug]           Address locking violation when generating new NSEC /
                        NSEC3 chains. [RT #31224]