diff --git a/CHANGES b/CHANGES
index 0839f62122..ecd526da0a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -87,7 +87,9 @@
 			and "nsdname-enable" both now default to yes,
 			regardless of compile-time settings. [GL #824]
 
-5141.	[placeholder]
+5141.	[security]	Zone transfer controls for writable DLZ zones were
+			not effective as the allowzonexfr method was not being
+			called for such zones. (CVE-2019-6465) [GL #790]
 
 5140.	[bug]		Don't immediately mark existing keys as inactive and
 			deleted when running dnssec-keymgr for the first
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 79256ea5c1..849ba261b0 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -157,6 +157,14 @@
 	  [GL #772]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Zone transfer controls for writable DLZ zones were not
+	  effective as the <command>allowzonexfr</command> method was
+	  not being called for such zones. This flaw is disclosed in
+	  CVE-2019-6465. [GL #790]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>