From 5a7d1d2d0c1021bd4371ee3e2eec52655a6995c5 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 1 Sep 2022 16:34:21 -0700
Subject: [PATCH] CHANGES and release notes for [GL #3523]

(cherry picked from commit 991de0aa7612cca50eae26b92b764cd5e37a3179)
---
 CHANGES                     |  9 +++++++++
 doc/notes/notes-current.rst | 17 +++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index c6227baf10..95a7fc82bd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+6064.	[security]	An UPDATE message flood could cause named to exhaust all
+			available memory. This flaw was addressed by adding a
+			new "update-quota" statement that controls the number of
+			simultaneous UPDATE messages that can be processed or
+			forwarded. The default is 100. A stats counter has been
+			added to record events when the update quota is
+			exceeded, and the XML and JSON statistics version
+			numbers have been updated. (CVE-2022-3094) [GL #3523]
+
 6063.	[bug]		Revert a change that limited to honour single
 			read for TLSDNS as it broke XoT. [GL #3772]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ef72732ede..305cea5933 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -15,12 +15,25 @@ Notes for BIND 9.18.11
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+  available memory. This flaw was addressed by adding a new
+  :any:`update-quota` option that controls the maximum number of
+  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+  queue at any given time (default: 100). (CVE-2022-3094)
+
+  ISC would like to thank Rob Schulhof from Infoblox for bringing this
+  vulnerability to our attention. :gl:`#3523`
 
 New Features
 ~~~~~~~~~~~~
 
-- None.
+- The new :any:`update-quota` option can be used to control the number
+  of simultaneous DNS UPDATE messages that can be processed to update an
+  authoritative zone on a primary server, or forwarded to the primary
+  server by a secondary server. The default is 100. A new statistics
+  counter has also been added to record events when this quota is
+  exceeded, and the version numbers for the XML and JSON statistics
+  schemas have been updated. :gl:`#3523`
 
 Removed Features
 ~~~~~~~~~~~~~~~~