Add CHANGES and release note for GL #2055

CHANGES

@@ -12,7 +12,12 @@
 			system, but the Duplicate Address Detection (DAD)
 			mechanism had not yet finished. [GL #2038]
 
-5481.	[placeholder]
+5481.	[security]	"update-policy" rules of type "subdomain" were
+			incorrectly treated as "zonesub" rules, which allowed
+			keys used in "subdomain" rules to update names outside
+			of the specified subdomains. The problem was fixed by
+			making sure "subdomain" rules are again processed as
+			described in the ARM. (CVE-2020-8624) [GL #2055]
 
 5480.	[security]	When BIND 9 was compiled with native PKCS#11 support, it
 			was possible to trigger an assertion failure in code

doc/notes/notes-current.rst

@@ -44,6 +44,15 @@ Security Fixes
   ISC would like to thank Lyu Chiy for bringing this vulnerability to
   our attention. [GL #2037]
 
+- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
+  as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
+  to update names outside of the specified subdomains. The problem was
+  fixed by making sure ``subdomain`` rules are again processed as
+  described in the ARM. This was disclosed in CVE-2020-8624.
+
+  ISC would like to thank Joop Boonen of credativ GmbH for bringing this
+  vulnerability to our attention. [GL #2055]
+
 Known Issues
 ~~~~~~~~~~~~