ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon

Debian Bug report logs - #785778
ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ipsec-tools: null pointer dereference crash in racoon

Date: Wed, 20 May 2015 08:09:01 +0200

Source: ipsec-tools
Version: 1:0.8.0-14
Severity: grave
Tags: security upstream

Hi

Marked as severity grave as this could lead to denial of service, see
the following for details:

http://www.openwall.com/lists/oss-security/2015/05/20/1

No CVE is assigned yet (will update the bug once assigned).

Regards,
Salvatore

Message #10 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 785778@bugs.debian.org

Subject: Re: Bug#785778: ipsec-tools: null pointer dereference crash in racoon

Date: Wed, 20 May 2015 10:52:14 -0700

[Message part 1 (text/plain, inline)]

On Wed, May 20, 2015 at 08:09:01AM +0200, Salvatore Bonaccorso wrote:
> Marked as severity grave as this could lead to denial of service, see
> the following for details:
> 
> http://www.openwall.com/lists/oss-security/2015/05/20/1
> 
> No CVE is assigned yet (will update the bug once assigned).

I've got an upload prepared. I'd like to wait until we've got a CVE
assigned so I can include it in the changelog, but I don't plan on
waiting more than a few more hours. I'll upload by 22:00 UTC with or
without a CVE.

Are you preparing a (old)stable security update for this or do you require
assistance?

noah

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Noah Meyerhans <noahm@debian.org>

Cc: jmm@debian.org, 785778@bugs.debian.org

Subject: Re: Bug#785778: ipsec-tools: null pointer dereference crash in racoon

Date: Thu, 21 May 2015 05:53:12 +0200

Hi Noah,

On Wed, May 20, 2015 at 10:52:14AM -0700, Noah Meyerhans wrote:
> On Wed, May 20, 2015 at 08:09:01AM +0200, Salvatore Bonaccorso wrote:
> > Marked as severity grave as this could lead to denial of service, see
> > the following for details:
> > 
> > http://www.openwall.com/lists/oss-security/2015/05/20/1
> > 
> > No CVE is assigned yet (will update the bug once assigned).
> 
> I've got an upload prepared. I'd like to wait until we've got a CVE
> assigned so I can include it in the changelog, but I don't plan on
> waiting more than a few more hours. I'll upload by 22:00 UTC with or
> without a CVE.

Thanks! Still by now no CVE was assigned.

> Are you preparing a (old)stable security update for this or do you require
> assistance?

Yes indeed we were planning to do so. Have both prepared and were
waiting for the CVE assignment. But if none is done we might proceed.
I can upload amd64 binary packages for testing exposure to people.d.o.

Regards,
Salvatore

Regards,
Salvatore

Message #22 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 785778@bugs.debian.org

Cc: Noah Meyerhans <noahm@debian.org>, jmm@debian.org

Subject: Re: Bug#785778: ipsec-tools: null pointer dereference crash in racoon

Date: Thu, 21 May 2015 06:44:04 +0200

Hi Noah,

On Thu, May 21, 2015 at 05:53:12AM +0200, Salvatore Bonaccorso wrote:
> Hi Noah,
> 
> On Wed, May 20, 2015 at 10:52:14AM -0700, Noah Meyerhans wrote:
> > On Wed, May 20, 2015 at 08:09:01AM +0200, Salvatore Bonaccorso wrote:
> > > Marked as severity grave as this could lead to denial of service, see
> > > the following for details:
> > > 
> > > http://www.openwall.com/lists/oss-security/2015/05/20/1
> > > 
> > > No CVE is assigned yet (will update the bug once assigned).
> > 
> > I've got an upload prepared. I'd like to wait until we've got a CVE
> > assigned so I can include it in the changelog, but I don't plan on
> > waiting more than a few more hours. I'll upload by 22:00 UTC with or
> > without a CVE.
> 
> Thanks! Still by now no CVE was assigned.
> 
> > Are you preparing a (old)stable security update for this or do you require
> > assistance?
> 
> Yes indeed we were planning to do so. Have both prepared and were
> waiting for the CVE assignment. But if none is done we might proceed.
> I can upload amd64 binary packages for testing exposure to people.d.o.

https://people.debian.org/~carnil/tmp/ipsec-tools/

Regards,
Salvatore

Message #27 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 785778@bugs.debian.org, jmm@debian.org

Subject: Re: Bug#785778: ipsec-tools: null pointer dereference crash in racoon

Date: Wed, 20 May 2015 22:21:06 -0700

[Message part 1 (text/plain, inline)]

On Thu, May 21, 2015 at 06:44:04AM +0200, Salvatore Bonaccorso wrote:
> > Yes indeed we were planning to do so. Have both prepared and were
> > waiting for the CVE assignment. But if none is done we might proceed.
> > I can upload amd64 binary packages for testing exposure to people.d.o.
> 
> https://people.debian.org/~carnil/tmp/ipsec-tools/

Thanks, I've got the wheezy and jessie builds testing. Seems fine so
far. The fix is straightforward so I don't anticipate any issues.

Thanks
noah

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Noah Meyerhans <noahm@debian.org>, 785778@bugs.debian.org

Cc: jmm@debian.org

Subject: Re: Bug#785778: ipsec-tools: null pointer dereference crash in racoon

Date: Thu, 21 May 2015 22:35:45 +0200

Hi Noah!

On Wed, May 20, 2015 at 10:21:06PM -0700, Noah Meyerhans wrote:
> On Thu, May 21, 2015 at 06:44:04AM +0200, Salvatore Bonaccorso wrote:
> > > Yes indeed we were planning to do so. Have both prepared and were
> > > waiting for the CVE assignment. But if none is done we might proceed.
> > > I can upload amd64 binary packages for testing exposure to people.d.o.
> > 
> > https://people.debian.org/~carnil/tmp/ipsec-tools/
> 
> Thanks, I've got the wheezy and jessie builds testing. Seems fine so
> far. The fix is straightforward so I don't anticipate any issues.

has been assigned now a CVE (CVE-2015-4047).
http://www.openwall.com/lists/oss-security/2015/05/21/11

Will finish the packaging tomorrow moring and upload to
security-master for wheezy-security and jessie-security.

Regards,
Salvatore

Message #39 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Noah Meyerhans <noahm@debian.org>

Cc: debian-lts@lists.debian.org, 785778@bugs.debian.org

Subject: squeeze update of ipsec-tools?

Date: Fri, 22 May 2015 12:03:59 +0200

Control: found -1 1:0.7.3-12

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ipsec-tools:
https://security-tracker.debian.org/tracker/CVE-2015-4047

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #46 received at 785778-close@bugs.debian.org (full text, mbox, reply):

From: <noahm@debian.org>

To: 785778-close@bugs.debian.org

Subject: Bug#785778: fixed in ipsec-tools 1:0.8.2+20140711-3

Date: Sun, 24 May 2015 06:34:05 +0000

Source: ipsec-tools
Source-Version: 1:0.8.2+20140711-3

We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 785778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
noahm@debian.org (supplier of updated ipsec-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 20 May 2015 10:46:55 -0700
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.8.2+20140711-3
Distribution: unstable
Urgency: medium
Maintainer: pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>
Changed-By: noahm@debian.org
Description:
 ipsec-tools - IPsec utilities
 racoon     - IPsec Internet Key Exchange daemon
Closes: 785778
Changes:
 ipsec-tools (1:0.8.2+20140711-3) unstable; urgency=medium
 .
   * Fix null pointer dereference leading to a possible crash and
     denial of service attack. (Closes: 785778)
Checksums-Sha1:
 f8da82ef687313514a117f2257ebf863b4ef22d8 2253 ipsec-tools_0.8.2+20140711-3.dsc
 b959808e868a10116b15d9edee53d4d50280eb06 61704 ipsec-tools_0.8.2+20140711-3.debian.tar.xz
 8f306268a4e27a149c401ce41ddd66c5f2f8644a 92514 ipsec-tools_0.8.2+20140711-3_amd64.deb
 3a08539466d0e38cfbf1fd2e6a69fa4335634fd8 367322 racoon_0.8.2+20140711-3_amd64.deb
Checksums-Sha256:
 21b803026d0d7841373373e559ab4c828827b0e06519f8eed004149d22199a56 2253 ipsec-tools_0.8.2+20140711-3.dsc
 f14528fade5be38811af7a5e3f0e167c334dea56e5a9c9a9604daef156b74350 61704 ipsec-tools_0.8.2+20140711-3.debian.tar.xz
 d8b37ed64c7a078ea669ffada2fa79abefca8a5223cdd9e88f32d874912c1954 92514 ipsec-tools_0.8.2+20140711-3_amd64.deb
 3d18e375274dcbaac698ff362824e7cbec9336c6602b108d8d075d01327b8ac6 367322 racoon_0.8.2+20140711-3_amd64.deb
Files:
 a795b1f88b722788f411ddd5ed2e78df 2253 net extra ipsec-tools_0.8.2+20140711-3.dsc
 42a498a8ccd7e18300681cb05b7e53a9 61704 net extra ipsec-tools_0.8.2+20140711-3.debian.tar.xz
 13cc0bb3950bb89b5687987ef2abaff4 92514 net extra ipsec-tools_0.8.2+20140711-3_amd64.deb
 a677aab2f0058430af8de5dcd6d38d14 367322 net extra racoon_0.8.2+20140711-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVWFvZvYw89L1q13TAQgylw/8DyJvjkp8bhlRTn2A69k8s9tXjROBU/OT
8x2bTJ6q7Hiuso6UA9R9rz0rJOyZyQSGHkiAVdYdmygsG3KENZf9Kz2TxdT5CoUS
WLNtHBBQic49R7NE3VCnStxi/XzPdXgzRtce1PZeOM+AgN92K6HOcQXTdTFPs578
n+MlvZj/B0cXVQOB/1Lg6idnmzW72SoLCfqJVDgfujWg+Z2GagNANVjc3uHz+yCp
/scK/RBZWNGzIiT9UuEXrApIvddkM2k73AaP4D5uBWL/5oMWSHoFlKMlu3Iw0t/J
IxGHgvndWUMFVU+u7pkgMNm8SKsZqsVw8Tp8iVTVUqLFhwurJmOn6hMsgHUPud4E
FvR5oIHjf0s7KUAsuFSIivqerh4AhFWAwfB1Tx8roL5En/t4UWOTt+Ql5fDR4/UC
qMQn0fC/DWxvA5oI8tXmM2aDnn/WdFkbv5y2i9tDsHvWX7fWiBt/0Mu3TijrZxDs
NqkZ9sIgJE/Tb6HZbd4bSfVcG2Sr/Ln5bSUAHPMs6TFM1IrDn30FIZVlyJuGQwL4
Wv9AsyOfYQWHkj9fdkJcU/j9H/U7gJo3Rt8DYf3C46OQ4wKGYI7MFKXmFVp8fOQY
PqJurbxMVQqc4K05+aR/xJyU1uqr19ApBfKF0iB6rygzDwKsaRa6hHBWt8WGYRqB
+w6vCRrh/LQ=
=zEqS
-----END PGP SIGNATURE-----

Message #51 received at 785778-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 785778-close@bugs.debian.org

Subject: Bug#785778: fixed in ipsec-tools 1:0.8.2+20140711-2+deb8u1

Date: Sun, 24 May 2015 13:32:06 +0000

Source: ipsec-tools
Source-Version: 1:0.8.2+20140711-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 785778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ipsec-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 May 2015 09:59:27 +0200
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source
Version: 1:0.8.2+20140711-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 ipsec-tools - IPsec utilities
 racoon     - IPsec Internet Key Exchange daemon
Closes: 785778
Changes:
 ipsec-tools (1:0.8.2+20140711-2+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add bug785778-null-pointer-deref.patch patch.
     CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c
     leading to a possible crash and denial of service attack. (Closes: #785778)
Checksums-Sha1:
 46cbcebf6a2e6f02960db63f3643e667ecd61ccf 2289 ipsec-tools_0.8.2+20140711-2+deb8u1.dsc
 f342ec3e0d5d0eb505f06f6772b31100cacac8bf 1102890 ipsec-tools_0.8.2+20140711.orig.tar.gz
 5ea8d7980eedaf4f3274519b228f48b36a47ac0c 61896 ipsec-tools_0.8.2+20140711-2+deb8u1.debian.tar.xz
Checksums-Sha256:
 7f27da9988cedc5a9afbf5943748a59aad80955e35754beaba11e174f38e1b44 2289 ipsec-tools_0.8.2+20140711-2+deb8u1.dsc
 5e702549103d4cffb73d5bcd3a9b4cb75c398e7988f2421b2901cc0e15915785 1102890 ipsec-tools_0.8.2+20140711.orig.tar.gz
 72be17c43042f161a0cf6256d73560b9c6f120d97f258e86f0098b953f02713f 61896 ipsec-tools_0.8.2+20140711-2+deb8u1.debian.tar.xz
Files:
 88107427cd9dea31d1a39d25a005073b 2289 net extra ipsec-tools_0.8.2+20140711-2+deb8u1.dsc
 8c222aedb897820e946aac203113b650 1102890 net extra ipsec-tools_0.8.2+20140711.orig.tar.gz
 63a681a83ccd55f3d78470e98d91032a 61896 net extra ipsec-tools_0.8.2+20140711-2+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVXuVLAAoJEAVMuPMTQ89EmisP+gNUMHGJ0qk/ywhSqe8u+dua
9ne3OQ9wut1ni+DMtPUB7H4/YZNC0igEGxARGou7JRF7tM8JxciljersqvIzfiFK
FYTLCWIbmcyJxyW1yte4Cpw5Ud74FypiCcsCWeV5HlABIVnt6lQXvSvj89kuKOYY
JLUEMmoe1W47a/gnu5EofB/DVPknjx6QYaoKMZoUqIwZeX1W5up87gLr7Xzdh+hL
ftdMkFwTVkPYzVI985DIoTnlDebtBAmE2PE+nJVwTI/W9zMFnRMWpwVeEc55wZR+
d6MBL8GsU31dnbzDuOZXMlJxp9C9aXaTN9OtFhkg1I37HK22eO8ZiYHy65zad9rY
zPir8zpS9FTPpgnB8CVxj1JLwheUewCgpdSsZ2/TG0LtdQ1Vk8TbUeUuWNehE0qe
gZR5o9SIcm24g31jMQf0qniCZQsVM17ksrTlep+nt5DPi9BOHfnjdkZz+UmF73JA
kxBzg2F0sNG9umBoyJ3XphNzW7PYJM6XR7PHL9GgC3hV9cJlKuHvZi7weS33KLNA
h8VYH1PfR4qOeKuOZ0z0Ou4pbTYVDTRDHMW6jG3KoHZ4tQOYVhsFftCp6XNAz4Fu
57yxxa7CtgpojHRAngdcNdnOvbIxRLx7sG/NvjhOnvjn5KHLxwNWFfjTQ84oP0sK
ZRTChxCN1T8DRyFn+w0h
=guGp
-----END PGP SIGNATURE-----

Message #56 received at 785778-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 785778-close@bugs.debian.org

Subject: Bug#785778: fixed in ipsec-tools 1:0.8.0-14+deb7u1

Date: Sun, 24 May 2015 13:32:35 +0000

Source: ipsec-tools
Source-Version: 1:0.8.0-14+deb7u1

We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 785778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ipsec-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 May 2015 08:05:50 +0200
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.8.0-14+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Matthew Grant <matthewgrant5@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 ipsec-tools - IPsec utilities
 racoon     - IPsec Internet Key Exchange daemon
Closes: 785778
Changes: 
 ipsec-tools (1:0.8.0-14+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add bug785778-null-pointer-deref.patch patch.
     CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c
     leading to a possible crash and denial of service attack. (Closes: #785778)
Checksums-Sha1: 
 2fd0dbf067d47aa1ac94caa683812343e5586000 2051 ipsec-tools_0.8.0-14+deb7u1.dsc
 2f8057f12cc8b0697fc0cc6826df1bccd2292291 1057292 ipsec-tools_0.8.0.orig.tar.gz
 9cdbf36c6f91e48470b6af6cab6864abab2f9622 69081 ipsec-tools_0.8.0-14+deb7u1.debian.tar.gz
 37afc0cf3243db2bcec675c2033691ab38efcaaa 103060 ipsec-tools_0.8.0-14+deb7u1_amd64.deb
 34beced4df183a97d8c4def760c7cbb901e83de5 457602 racoon_0.8.0-14+deb7u1_amd64.deb
Checksums-Sha256: 
 c8b78d505a5be3282b5c9d0441537dd933a894b238a0ade59897967278f6c854 2051 ipsec-tools_0.8.0-14+deb7u1.dsc
 985297bd91c73eeb83e60cea7b6404e12fc4d93b215ded8232a5c1c230332c4f 1057292 ipsec-tools_0.8.0.orig.tar.gz
 6221bacdbbfbcd01e2a4a0493f6e38aa1ea2278808da522380035d06f43c5972 69081 ipsec-tools_0.8.0-14+deb7u1.debian.tar.gz
 4246c486814fd8dca4b01cd082e8b2d7c1803e162755fe0e4dc835d7129383b9 103060 ipsec-tools_0.8.0-14+deb7u1_amd64.deb
 ba113f7295a6e2546804d2b3f519edb3bf3bde2aedf9b29f8f8cc8ea6ec20649 457602 racoon_0.8.0-14+deb7u1_amd64.deb
Files: 
 fb5cb35e145ec5d49b4e0c44f0ca8c1d 2051 net extra ipsec-tools_0.8.0-14+deb7u1.dsc
 c9a318cdbc0946f4e51464866d529739 1057292 net extra ipsec-tools_0.8.0.orig.tar.gz
 0b2f25e5cb845afecf6550567102788e 69081 net extra ipsec-tools_0.8.0-14+deb7u1.debian.tar.gz
 6b47a45ae0cf4ebf908b26a236d6806d 103060 net extra ipsec-tools_0.8.0-14+deb7u1_amd64.deb
 5646804899ce8c67b849a4973a47d16b 457602 net extra racoon_0.8.0-14+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVXt+rAAoJEAVMuPMTQ89EiqcP/jmKD9vWxFYqH31jVydDTGZ5
F6v+sv01HtknERkq4+ZNgAHZ8dKUggEasoAEewm+XlDqHbLhE3XTkvRRRRSLkGRA
1ADrLDn0IMiqpUAxNbVDYR00K2f4CUUPTKPt2dMdwUfT3kQR3094QULtkwcT3ene
VKh5/V55cfGx1fhgt1k/z58B2h9l3r0H0mLTWjJdLU3jTYocp+DsCE/N7+Q13X51
q44vXdV2ZnnaydLpk7albK040ZSX6oI66LIydzoW4THt3VA+fXr+lpRy973wPL27
Yb50Sk1awIKDV/qd4jGekfXAUWcTOW1HZ4j6AH0wwGojyTsEs4UzanzNoTLDnYgR
NXufCa3xl1kNyT2unoS/kd3BEueaByUfhhMF0lDBz1e2DMJIBasbFB7O/iZblz1S
+oK5s/bWiVdysb8YCsTWIQA9FtfIdxv34cHaKftlAu0YpJleIGsEMqZWdYyuVrBN
YHhh/rfbJXgnpHRIPwZANYWkXjkmqkoRs1O1epdO/r1yXEyEKN7dLNyRY4k7AuMw
BEoOm8V8BWAqsQkAmUYMaSdQoK18claOlR3XlpjjFrZQI31ZOzXe5MpgxflDJQPu
d/6wW85OzZiihF6hx3kJ08/QPp2jSC/ngoHuL3J/AvK2ZQahh4uHm3yT9SIv12w/
qPEraCOz5x8+yFrKRKeH
=jDyS
-----END PGP SIGNATURE-----

Message #61 received at 785778@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Noah Meyerhans <noahm@debian.org>, debian-lts@lists.debian.org, 785778@bugs.debian.org

Subject: Re: squeeze update of ipsec-tools?

Date: Sun, 24 May 2015 19:48:47 +0200

Hi!

On Fri, May 22, 2015 at 12:03:59PM +0200, Raphael Hertzog wrote:
> Control: found -1 1:0.7.3-12
> 
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of ipsec-tools:
> https://security-tracker.debian.org/tracker/CVE-2015-4047

I prepared an update for these in squeeze-lts, and uploaded packages
to test to https://people.debian.org/~carnil/tmp/ipsec-tools/ . The
fix is straightforward as well for the squeeze version. But in case
you have it in production and want to test the packages test feedback
is welcome before releasing them.

Regards,
Salvatore

Message #66 received at 785778-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 785778-close@bugs.debian.org

Subject: Bug#785778: fixed in ipsec-tools 1:0.7.3-12+deb6u1

Date: Sat, 30 May 2015 10:35:06 +0000

Source: ipsec-tools
Source-Version: 1:0.7.3-12+deb6u1

We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 785778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ipsec-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 May 2015 19:28:09 +0200
Source: ipsec-tools
Binary: ipsec-tools racoon
Architecture: source amd64
Version: 1:0.7.3-12+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Stefan Bauer <stefan.bauer@cubewerk.de>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 ipsec-tools - IPsec tools for Linux
 racoon     - IPsec IKE keying daemon
Closes: 785778
Changes: 
 ipsec-tools (1:0.7.3-12+deb6u1) squeeze-lts; urgency=high
 .
   * Non-maintainer upload.
   * Add bug785778-null-pointer-deref.patch patch.
     CVE-2015-4047: Fix NULL pointer dereference in racoon in gssapi.c
     leading to a possible crash and denial of service attack. (Closes: #785778)
Checksums-Sha1: 
 5f52457e7eff9ad112a34a1ce660f23a222b8122 1792 ipsec-tools_0.7.3-12+deb6u1.dsc
 5c3daa6a1592a54c384a328bd6981eb1a3f6b59a 51968 ipsec-tools_0.7.3-12+deb6u1.diff.gz
 2291c6f0fc6d8b5946972f84100ccaddff5e4e29 86926 ipsec-tools_0.7.3-12+deb6u1_amd64.deb
 c4b657f80cdb80ecda22158b1fee75dc69f63415 410660 racoon_0.7.3-12+deb6u1_amd64.deb
Checksums-Sha256: 
 937d8428fde9758466c9c8670a07044902299d75c1a447ad05c65a9468990310 1792 ipsec-tools_0.7.3-12+deb6u1.dsc
 1491e942de594c513ac2c682d33cffd8904a9952f6fec381f1656da70999dba7 51968 ipsec-tools_0.7.3-12+deb6u1.diff.gz
 db3a474a559272ae17876553120a2e5367d0894ea01c0fe0872083cf0b381764 86926 ipsec-tools_0.7.3-12+deb6u1_amd64.deb
 d2ae4dce4490bda32a56b4157422235d97db3e24e189528613c7f9d42a2c6e67 410660 racoon_0.7.3-12+deb6u1_amd64.deb
Files: 
 392822261152fa8237ec066efcb69259 1792 net extra ipsec-tools_0.7.3-12+deb6u1.dsc
 88cfa32c42fc1c0dba8f9359e3caec0d 51968 net extra ipsec-tools_0.7.3-12+deb6u1.diff.gz
 043ee1cfa1458e652be21edc2933c615 86926 net extra ipsec-tools_0.7.3-12+deb6u1_amd64.deb
 ebb992f10c8bd8c5a29cf244eaface3f 410660 net extra racoon_0.7.3-12+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVaY2tAAoJEAVMuPMTQ89EooAP/16nRF06aCYSuSjC/tBlS0k+
7Uk8OyCT8HUCv9F6afLvKKK18XUZkZj55rpaeaxrTJ0tfMLM4il8MdRhxVoBZh5k
9lL937fzsI3NwCYGn5HYQF9+5eHDChW+xyS3vOLDJctQmnv4bNLkIHzbQOZKFxHz
d4iCeIOFT0bZnMteplgb9v5s6pgote8IHvsr5Gju520SJKpBDskYIXjmuw53m5ep
DE/N+0Qtl7QUf+5Oq0+Dw7pc0tB84aMXcUFK+v4f0JnM+ybP3rlQ1Ac9jtjcVDCw
jiW8olT+9O2ebnfc8lpjmrTZb54up/rJtiZG1sruLox5598ZwQXGpFi4cHy/trOY
6qpDN+VO8uweEaEd6RKLS1N672aF0bAGrSTkucyFWvqfPAuPz1wlZZT/lC4x6EZs
7K/4RWwv0G5LVqCHK5fXV1UAXny4uqdAJKZpbItctnBu7imOEaLiA9xg4drlGo/Z
9qYs8NS/fTjmU4iMEciBZpsS1AJtoA4v8MvnXCHToXA25eF56HPv+GmjpYqJGrfF
LWfquY/HwJKeLunUa54VCIq3QVEgMjlWDnqAmqayU7fSesyoKxr3k0hLepa+ixru
66Vnkw63yreWNR6ZNA7QG0QNHHlUMnCX+JNHGjjnl0tOtqFAW/CzxOJ+C8nPi49P
f7Pz60F7Je7ZRx2kGMg/
=USA4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.