Add CHANGES and release note for GL #2037

diff --git a/CHANGES b/CHANGES
index 7e243aafc9a1643c65175fc8089b6e24732c9dae..999a3b68d2e37a54468efefef6995eae58cc4cfe 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+5480.  [security]      When BIND 9 was compiled with native PKCS#11 support, it
+                       was possible to trigger an assertion failure in code
+                       determining the number of bits in the PKCS#11 RSA public
+                       key with a specially crafted packet. (CVE-2020-8623)
+                       [GL #2037]
+
 5476.  [security]      It was possible to trigger an assertion failure when
                        verifying the response to a TSIG-signed request.
                        (CVE-2020-8622) [GL #2028]

diff --git a/doc/arm/notes-9.11.22.xml b/doc/arm/notes-9.11.22.xml
index c11113318fce6925113913a2053316ab2cf42f85..d01c65a70c78af1a2a5b619de54d52cd0bae5863 100644 (file)
--- a/doc/arm/notes-9.11.22.xml
+++ b/doc/arm/notes-9.11.22.xml
@@ -24,6 +24,18 @@
           of Oracle for bringing this vulnerability to our attention. [GL #2028]
         </para>
       </listitem>
+      <listitem>
+        <para>
+          When BIND 9 was compiled with native PKCS#11 support, it was possible
+          to trigger an assertion failure in code determining the number of bits
+          in the PKCS#11 RSA public key with a specially crafted packet. This
+          was disclosed in CVE-2020-8623.
+        </para>
+        <para>
+          ISC would like to thank Lyu Chiy for bringing this vulnerability to
+          our attention. [GL #2037]
+        </para>
+      </listitem>
     </itemizedlist>
   </section>