From: Evan Hunt <each@isc.org>
Date: Fri, 18 Jan 2013 22:20:03 +0000 (-0800)
Subject: [v9_9] add CVE, correct change 3388
X-Git-Tag: v9.9.3b1~5
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f893f333b88596ede2947cac09be011f530b0a2b;p=thirdparty%2Fbind9.git

[v9_9] add CVE, correct change 3388
(cherry picked from commit 3806133da574f4570db3005473e0d56b746cc6ea)
---

diff --git a/CHANGES b/CHANGES
index 9c2c74d4d9d..2e98c781a84 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
 	
 3468.	[security]	RPZ rules to generate A records (but not AAAA records)
 			could trigger an assertion failure when used in
-			conjunction with DNS64. [RT #32141]
+			conjunction with DNS64 (CVE-2012-5689). [RT #32141]
 
 3467.	[bug]		Added checks in dnssec-keygen and dnssec-settime
 			to check for delete date < inactive date. [RT #31719]
@@ -209,7 +209,12 @@
 
 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
 
-3388.	[bug]		Fixed several Coverity warnings. [RT #30996]
+3388.	[bug]		Fixed several Coverity warnings.
+			Note: This change includes a fix for a bug that
+			was subsequently determined to be an exploitable
+			security vulnerability, CVE-2012-5688: named could
+			die on specific queries with dns64 enabled.
+			[RT #30996]
 
 3386.	[bug]		Address locking violation when generating new NSEC /
 			NSEC3 chains. [RT #31224]