I've uploaded an NMU that fixes these bugs to the 7-day DELAYED queue.
Patch follows.
diff -u ipsec-tools-0.6.6/config.guess ipsec-tools-0.6.6/config.guess
--- ipsec-tools-0.6.6/config.guess
+++ ipsec-tools-0.6.6/config.guess
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
# Inc.
-timestamp='2006-07-02'
+timestamp='2007-03-06'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -161,6 +161,7 @@
arm*) machine=arm-unknown ;;
sh3el) machine=shl-unknown ;;
sh3eb) machine=sh-unknown ;;
+ sh5el) machine=sh5le-unknown ;;
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
esac
# The Operating System including object format, if it has switched
@@ -780,7 +781,7 @@
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
- i*:MINGW*:*)
+ *:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:windows32*:*)
@@ -790,12 +791,15 @@
i*:PW*:*)
echo ${UNAME_MACHINE}-pc-pw32
exit ;;
- x86:Interix*:[3456]*)
- echo i586-pc-interix${UNAME_RELEASE}
- exit ;;
- EM64T:Interix*:[3456]*)
- echo x86_64-unknown-interix${UNAME_RELEASE}
- exit ;;
+ *:Interix*:[3456]*)
+ case ${UNAME_MACHINE} in
+ x86)
+ echo i586-pc-interix${UNAME_RELEASE}
+ exit ;;
+ EM64T | authenticamd)
+ echo x86_64-unknown-interix${UNAME_RELEASE}
+ exit ;;
+ esac ;;
[345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
echo i${UNAME_MACHINE}-pc-mks
exit ;;
@@ -950,6 +954,9 @@
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
exit ;;
+ xtensa:Linux:*:*)
+ echo xtensa-unknown-linux-gnu
+ exit ;;
i*86:Linux:*:*)
# The BFD linker knows what the default object file format is, so
# first see if it will tell us. cd to the root directory to prevent
@@ -1208,6 +1215,15 @@
SX-6:SUPER-UX:*:*)
echo sx6-nec-superux${UNAME_RELEASE}
exit ;;
+ SX-7:SUPER-UX:*:*)
+ echo sx7-nec-superux${UNAME_RELEASE}
+ exit ;;
+ SX-8:SUPER-UX:*:*)
+ echo sx8-nec-superux${UNAME_RELEASE}
+ exit ;;
+ SX-8R:SUPER-UX:*:*)
+ echo sx8r-nec-superux${UNAME_RELEASE}
+ exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
diff -u ipsec-tools-0.6.6/config.sub ipsec-tools-0.6.6/config.sub
--- ipsec-tools-0.6.6/config.sub
+++ ipsec-tools-0.6.6/config.sub
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
# Inc.
-timestamp='2006-09-20'
+timestamp='2007-01-18'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@@ -245,12 +245,12 @@
| bfin \
| c4x | clipper \
| d10v | d30v | dlx | dsp16xx \
- | fr30 | frv \
+ | fido | fr30 | frv \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
- | maxq | mb | microblaze | mcore \
+ | maxq | mb | microblaze | mcore | mep \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@@ -324,7 +324,7 @@
| clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
- | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
| h8300-* | h8500-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| i*86-* | i860-* | i960-* | ia64-* \
@@ -925,6 +925,9 @@
basic_machine=sh-hitachi
os=-hms
;;
+ sh5el)
+ basic_machine=sh5le-unknown
+ ;;
sh64)
basic_machine=sh64-unknown
;;
@@ -1219,7 +1222,7 @@
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
- | -skyos* | -haiku* | -rdos* | -toppers*)
+ | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@@ -1414,6 +1417,9 @@
m68*-cisco)
os=-aout
;;
+ mep-*)
+ os=-elf
+ ;;
mips*-cisco)
os=-elf
;;
diff -u ipsec-tools-0.6.6/debian/changelog ipsec-tools-0.6.6/debian/changelog
--- ipsec-tools-0.6.6/debian/changelog
+++ ipsec-tools-0.6.6/debian/changelog
@@ -1,3 +1,15 @@
+ipsec-tools (1:0.6.6-3.2) unstable; urgency=low
+
+ * Non-maintainer upload
+ * Fix remote DoS condition that makes it possible for remote attackers to
+ crash a tunnel. See CVE-2007-1841 (closes: #423252)
+ * Fix typo in initscript (s/force_reload/force-reload). Patch from
+ Robie Basak (closes: #380103)
+ * setkey does not honor both -FP and -F in a single run, split into
+ separate calls. Patch from Benjamin Sonntag (closes: #403511)
+
+ -- dann frazier <[EMAIL PROTECTED]> Tue, 19 Jun 2007 11:26:58 -0600
+
ipsec-tools (1:0.6.6-3.1) unstable; urgency=low
* Non-maintainer upload to fix pending l10n issues.
diff -u ipsec-tools-0.6.6/debian/racoon.init
ipsec-tools-0.6.6/debian/racoon.init
--- ipsec-tools-0.6.6/debian/racoon.init
+++ ipsec-tools-0.6.6/debian/racoon.init
@@ -74,7 +74,7 @@
echo "."
;;
- reload|force_reload|restart)
+ reload|force-reload|restart)
$0 stop
$0 start
;;
diff -u ipsec-tools-0.6.6/debian/ipsec-tools.setkey.init
ipsec-tools-0.6.6/debian/ipsec-tools.setkey.init
--- ipsec-tools-0.6.6/debian/ipsec-tools.setkey.init
+++ ipsec-tools-0.6.6/debian/ipsec-tools.setkey.init
@@ -26,13 +26,15 @@
;;
stop)
echo -n "Flushing IPsec SA/SP database: "
- $SETKEY -F -FP
+ $SETKEY -F
+ $SETKEY -FP
echo "done."
;;
restart|force-reload)
echo -n "Reloading IPsec SA/SP database: "
- $SETKEY -F -FP
$SETKEY -f $SETKEY_CONF
+ $SETKEY -F
+ $SETKEY -FP
echo "done."
;;
*)
only in patch2:
unchanged:
--- ipsec-tools-0.6.6.orig/src/racoon/isakmp_inf.c
+++ ipsec-tools-0.6.6/src/racoon/isakmp_inf.c
@@ -267,12 +267,12 @@
switch (np) {
case ISAKMP_NPTYPE_N:
- if (isakmp_info_recv_n(iph1, msg) < 0)
- goto end;
+ if ( encrypted )
+ isakmp_info_recv_n(iph1, msg);
break;
case ISAKMP_NPTYPE_D:
- if (isakmp_info_recv_d(iph1, msg) < 0)
- goto end;
+ if ( encrypted )
+ isakmp_info_recv_d(iph1, msg);
break;
case ISAKMP_NPTYPE_NONCE:
/* XXX to be 6.4.2 ike-01.txt */
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
