Add CHANGES and release note for [GL #2899]

CHANGES

@@ -65,7 +65,11 @@
 5737.	[bug]		Address Coverity warning in lib/dns/dnssec.c.
 			[GL #2935]
 
-5736.	[placeholder]
+5736.	[security]	The "lame-ttl" option is now forcibly set to 0. This
+			effectively disables the lame server cache, as it could
+			previously be abused by an attacker to significantly
+			degrade resolver performance. (CVE-2021-25219)
+			[GL #2899]
 
 5735.	[cleanup]	The result codes which BIND 9 uses internally are now
 			all defined as a single list of enum values rather than

doc/notes/notes-current.rst

@@ -14,7 +14,21 @@ Notes for BIND 9.17.18
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- The ``lame-ttl`` option controls how long ``named`` caches certain
+  types of broken responses from authoritative servers (see the
+  `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
+  details). This caching mechanism could be abused by an attacker to
+  significantly degrade resolver performance. The vulnerability has been
+  mitigated by changing the default value of ``lame-ttl`` to ``0`` and
+  overriding any explicitly set value with ``0``, effectively disabling
+  this mechanism altogether. ISC's testing has determined that doing
+  that has a negligible impact on resolver performance while also
+  preventing abuse. Administrators may observe more traffic towards
+  servers issuing certain types of broken responses than in previous
+  BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
+
+  ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
+  bringing this vulnerability to our attention. :gl:`#2899`
 
 Known Issues
 ~~~~~~~~~~~~