From 9d69ee740ffaa3f41b9e129ffbb7cf6d9d672d8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 31 Jul 2020 09:39:46 +0200
Subject: [PATCH] Add CHANGES and release note for GL #1996

---
 CHANGES                     | 4 ++++
 doc/notes/notes-current.rst | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 15ed661dac..db4f998f01 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,10 @@
 			system, but the Duplicate Address Detection (DAD)
 			mechanism had not yet finished. [GL #2038]
 
+5478.	[security]	It was possible to trigger an assertion failure by
+			sending a specially crafted large TCP DNS message.
+			(CVE-2020-8620) [GL #1996]
+
 5477.	[bug]		The idle timeout for connected TCP sockets is now
 			derived from the client query processing timeout
 			configured for a resolver. [GL #2024]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index d316b8b996..496ab11af8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -14,7 +14,11 @@ Notes for BIND 9.16.6
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
+- It was possible to trigger an assertion failure by sending a specially
+  crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
+
+  ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
+  bringing this vulnerability to our attention. [GL #1996]
 
 Known Issues
 ~~~~~~~~~~~~