From 4fb94906fae19692722b51f6a0ea8d7115cec76f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 29 Jul 2020 23:36:03 +1000 Subject: [PATCH] Add CHANGES and release note for GL #2055 --- CHANGES | 7 ++++++- doc/notes/notes-current.rst | 9 +++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 27cf14612f..8284bdbd74 100644 --- a/CHANGES +++ b/CHANGES @@ -12,7 +12,12 @@ system, but the Duplicate Address Detection (DAD) mechanism had not yet finished. [GL #2038] -5481. [placeholder] +5481. [security] "update-policy" rules of type "subdomain" were + incorrectly treated as "zonesub" rules, which allowed + keys used in "subdomain" rules to update names outside + of the specified subdomains. The problem was fixed by + making sure "subdomain" rules are again processed as + described in the ARM. (CVE-2020-8624) [GL #2055] 5480. [security] When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 175a15b362..f7b490b80e 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -44,6 +44,15 @@ Security Fixes ISC would like to thank Lyu Chiy for bringing this vulnerability to our attention. [GL #2037] +- ``update-policy`` rules of type ``subdomain`` were incorrectly treated + as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules + to update names outside of the specified subdomains. The problem was + fixed by making sure ``subdomain`` rules are again processed as + described in the ARM. This was disclosed in CVE-2020-8624. + + ISC would like to thank Joop Boonen of credativ GmbH for bringing this + vulnerability to our attention. [GL #2055] + Known Issues ~~~~~~~~~~~~