From edd0fc4596c578510ab48da1af7920dc35d973cd Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 13 Jan 2014 14:52:20 -0800
Subject: [PATCH] [v9_9] add CVE details; marked 3656 as [security]

---
 CHANGES |  9 ++++++---
 README  | 13 +++++++------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index fc36de2b6f..d6c4eaf79a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,7 +28,8 @@
 3693.	[security]	memcpy was incorrectly called with overlapping
 			ranges resulting in malformed names being generated
 			on some platforms.  This could cause INSIST failures
-			when serving NSEC3 signed zones.  [RT #35120]
+			when serving NSEC3 signed zones (CVE-2014-0591).
+			[RT #35120]
 
 3692.	[bug]		Two calls to dns_db_getoriginnode were fatal if there
 			was no data at the node. [RT #35080]
@@ -128,8 +129,10 @@
 3657.	[port]		Some readline clones don't accept NULL pointers when
 			calling add_history. [RT #34842]
 
-3656.	[bug]		Treat an all zero netmask as invalid when generating
-			the localnets acl. [RT #34687]
+3656.	[security]	Treat an all zero netmask as invalid when generating
+			the localnets acl. (The prior behavior could
+			allow unexpected matches when using some versions
+			of Winsock: CVE-2013-6320.) [RT #34687]
 
 3655.	[cleanup]	Simplify TCP message processing when requesting a
 			zone transfer.  [RT #34825]
diff --git a/README b/README
index e0e7b5f6aa..718b71a978 100644
--- a/README
+++ b/README
@@ -53,8 +53,9 @@ BIND 9
 
 BIND 9.9.5
 
-	BIND 9.9.5 is a maintenance release, and includes the following
-	functional enhancements:
+	BIND 9.9.5 is a maintenance release, and patches the security
+	flaws described in CVE-2013-6320 and CVE-2014-0591.  It also
+	includes the following functional enhancements:
 
 	 - "named" now preserves the capitalization of names when
 	   responding to queries.
@@ -63,10 +64,10 @@ BIND 9.9.5
 	 - When re-signing a zone, the new "dnssec-signzone -Q" option
 	   drops signatures from keys that are still published but are
 	   no longer active.
-         - "named-checkconf -px" will print the contents of configuration
-           files with the shared secrets obscured, making it easier to
-           share configuration (e.g. when submitting a bug report)
-           without revealing private information.
+	 - "named-checkconf -px" will print the contents of configuration
+	   files with the shared secrets obscured, making it easier to
+	   share configuration (e.g. when submitting a bug report)
+	   without revealing private information.
 
 BIND 9.9.4