Add CHANGES and release note for GL #2055

2025-08-28 13:08:06 +00:00 · 2020-07-29 23:36:03 +10:00 · 2020-07-29 23:36:03 +10:00 · 4fb94906fa
commit 4fb94906fa
parent 94bc07cf05
2 changed files with 15 additions and 1 deletions
--- a/7
+++ b/7
@ -12,7 +12,12 @@
 			system, but the Duplicate Address Detection (DAD)
 			mechanism had not yet finished. [GL #2038]

-5481.	[placeholder]
+5481.	[security]	"update-policy" rules of type "subdomain" were
+			incorrectly treated as "zonesub" rules, which allowed
+			keys used in "subdomain" rules to update names outside
+			of the specified subdomains. The problem was fixed by
+			making sure "subdomain" rules are again processed as
+			described in the ARM. (CVE-2020-8624) [GL #2055]

 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
 			was possible to trigger an assertion failure in code
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -44,6 +44,15 @@ Security Fixes
  ISC would like to thank Lyu Chiy for bringing this vulnerability to
  our attention. [GL #2037]

+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+  as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+  to update names outside of the specified subdomains. The problem was
+  fixed by making sure ``subdomain`` rules are again processed as
+  described in the ARM. This was disclosed in CVE-2020-8624.
+
+  ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+  vulnerability to our attention. [GL #2055]
+
 Known Issues
 ~~~~~~~~~~~~