From 205c35b9cdc29ec46c4bfa71e54e26711ec0af2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 26 Feb 2026 21:17:47 +0100
Subject: [PATCH] Reorder release notes

---
 doc/notes/notes-9.21.19.rst | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/doc/notes/notes-9.21.19.rst b/doc/notes/notes-9.21.19.rst
index 436f727475..30dc4a5753 100644
--- a/doc/notes/notes-9.21.19.rst
+++ b/doc/notes/notes-9.21.19.rst
@@ -15,6 +15,24 @@ Notes for BIND 9.21.19
 Security Fixes
 ~~~~~~~~~~~~~~
 
+- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
+  DNAME response.
+
+  This issue only affected the :iscman:`delv` tool and it has now been
+  fixed.
+
+  ISC would like to thank Vitaly Simonovich for bringing this
+  vulnerability to our attention. :gl:`#5728`
+
+- Fix a NULL pointer dereference in qp-trie cache code.
+
+  When ``RRSIG(rdtype)`` was independently cached before the RDATA for
+  the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
+  query for the RDATA itself. This has been fixed.
+
+  ISC would like to thank Vitaly Simonovich for bringing this
+  vulnerability to our attention. :gl:`#5738`
+
 - Immediately remove purged ADB names and entries from the SIEVE list.
 
   Under certain circumstances, the ADB could double-count purged
@@ -62,24 +80,6 @@ Bug Fixes
 
 - Fix dnstap logging of forwarded queries. :gl:`#5724`
 
-- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
-  DNAME response.
-
-  This issue only affected the :iscman:`delv` tool and it has now been
-  fixed.
-
-  ISC would like to thank Vitaly Simonovich for bringing this
-  vulnerability to our attention. :gl:`#5728`
-
-- Fix a NULL pointer dereference in qp-trie cache code.
-
-  When ``RRSIG(rdtype)`` was independently cached before the RDATA for
-  the ``rdtype`` itself, :iscman:`named` would crash on the subsequent
-  query for the RDATA itself. This has been fixed.
-
-  ISC would like to thank Vitaly Simonovich for bringing this
-  vulnerability to our attention. :gl:`#5738`
-
 - A stale answer could have been served in case of multiple upstream
   failures when following CNAME chains. This has been fixed. :gl:`#5751`