upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add CHANGES and release note for GL #2055

Browse source
This commit is contained in:
Mark Andrews 2020-07-29 23:36:03 +10:00 committed by Michał Kępień
parent 94bc07cf05
commit 4fb94906fa
2 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -12,7 +12,12 @@
system, but the Duplicate Address Detection (DAD)
mechanism had not yet finished. [GL #2038]
5481. [placeholder]
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code

9
doc/notes/notes-current.rst
View file

@ -44,6 +44,15 @@ Security Fixes
ISC would like to thank Lyu Chiy for bringing this vulnerability to
our attention. [GL #2037]
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
to update names outside of the specified subdomains. The problem was
fixed by making sure ``subdomain`` rules are again processed as
described in the ARM. This was disclosed in CVE-2020-8624.
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
vulnerability to our attention. [GL #2055]
Known Issues
~~~~~~~~~~~~