Package: racoon Version: 1:0.8.0-12 Severity: serious Dear Maintainer,
Racoon has a history of network vulnerabilities, running as root on the host. It is concerning that it is compiled without all hardening options employed. debian/rules has CFLAGS -D_FORTIFY_SOURCE=0, default debian comipile flags are for this to be set to 2. This was apparently done to get a 0.8.0 beta release to comile on i386/i486. Is this 0 setting needed any more? The linitian warnings given are 'hardening-no-fortify-source' which indicates the program is compiled with strcpy strcat et al, and strncpy, strncat not being substituted. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages racoon depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.44 ii ipsec-tools 1:0.8.0-12 ii libc6 2.13-33 ii libcomerr2 1.42.4-3 ii libgssapi-krb5-2 1.10.1+dfsg-1 ii libk5crypto3 1.10.1+dfsg-1 ii libkrb5-3 1.10.1+dfsg-1 ii libldap-2.4-2 2.4.31-1 ii libpam0g 1.1.3-7.1 ii libssl1.0.0 1.0.1c-3 ii perl 5.14.2-12 racoon recommends no packages. racoon suggests no packages. -- Configuration Files: /etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt' /etc/racoon/racoon-tool.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
