diff --git a/CHANGES b/CHANGES
index b01a399729..855a42e48b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -18,7 +18,9 @@
 
 5479.	[placeholder]
 
-5478.	[placeholder]
+5478.	[security]	It was possible to trigger an assertion failure by
+			sending a specially crafted large TCP DNS message.
+			(CVE-2020-8620) [GL #1996]
 
 5477.	[bug]		The idle timeout for connected TCP sockets is now
 			derived from the client query processing timeout
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 3ee01476ab..0b21089508 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -14,7 +14,11 @@ Notes for BIND 9.17.4
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- It was possible to trigger an assertion failure by sending a specially
+  crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+
+  ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
+  bringing this vulnerability to our attention. [GL #1996]
 
 Known Issues
 ~~~~~~~~~~~~