From e576baad9d7e545160fb15b052ab1699775dead8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 16 Jul 2020 09:15:20 +1000
Subject: [PATCH] Add CHANGES and release notes for GL #2028

---
 CHANGES                     | 4 +++-
 doc/notes/notes-current.rst | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 902e52fbd8..cabd1eac71 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,7 +28,9 @@
 			derived from the client query processing timeout
 			configured for a resolver. [GL #2024]
 
-5476.	[placeholder]
+5476.	[security]	It was possible to trigger an assertion failure when
+			verifying the response to a TSIG-signed request.
+			(CVE-2020-8622) [GL #2028]
 
 5475.	[bug]		Fix RPZ wildcard passthru ignored when a rejection
 			would overwrite a passthru action matching some
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 7fc7d91bd8..f5fdc44bee 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -29,6 +29,13 @@ Security Fixes
   ISC would like to thank Joseph Gullo for bringing this vulnerability
   to our attention. [GL #1997]
 
+- It was possible to trigger an assertion failure when verifying the
+  response to a TSIG-signed request. This was disclosed in
+  CVE-2020-8622.
+
+  ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
+  of Oracle for bringing this vulnerability to our attention. [GL #2028]
+
 Known Issues
 ~~~~~~~~~~~~