diff --git a/CHANGES b/CHANGES index 95f2a57b45..b88123106a 100644 --- a/CHANGES +++ b/CHANGES @@ -19,7 +19,9 @@ 4935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0 call were added). [GL #191] -4934. [security] Simultaneous use of stale cache records and NSEC +4934. [security] The serve-stale feature could cause an assertion failure + in rbtdb.c even when stale-answer-enable was false. + Simultaneous use of stale cache records and NSEC aggressive negative caching could trigger a recursion loop. (CVE-2018-5737) [GL #185] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 1669eef273..c2815c5e5b 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -42,11 +42,27 @@ - update-policy rules that otherwise ignore the name field now - require that it be set to "." to ensure that any type list - present is properly interpreted. Previously, if the name field - was omitted from the rule declaration but a type list was - present, it wouldn't be interpreted as expected. + The serve-stale feature could cause an assertion failure in + rbtdb.c even when stale-answer-enable was false. The + simultaneous use of stale cache records and NSEC aggressive + negative caching could trigger a recursion loop in the + named process. (CVE-2018-5737) [GL #185] + + + + + A bug in zone database reference counting could lead to a crash + when multiple versions of a slave zone were transferred from a + master in close succession. (CVE-2018-5736) [GL #134] + + + + + update-policy rules that otherwise ignore the + name field now require that it be set to "." to ensure that any + type list present is properly interpreted. Previously, if the + name field was omitted from the rule declaration but a type list + was present, it wouldn't be interpreted as expected.