Author: Noah Meyerhans
Revision Date: 2015-06-26 09:38:42 UTC

Fix FTBFS with gcc 5 due to unspecified parameter type in xauth_reply,
src/racoon/isakmp_xauth.c (Closes: 777918)

Author: Noah Meyerhans
Revision Date: 2015-06-26 09:38:42 UTC

Fix FTBFS with gcc 5 due to unspecified parameter type in xauth_reply,
src/racoon/isakmp_xauth.c (Closes: 777918)

Author: Marc Deslauriers
Revision Date: 2015-05-25 11:47:57 UTC

* SECURITY UPDATE: denial of service via racoon null dereference
  - debian/patches/CVE-2015-4047.patch: check iph1->rmconf in
    src/racoon/gssapi.c.
  - CVE-2015-4047

Author: Marc Deslauriers
Revision Date: 2015-05-25 11:47:57 UTC

* SECURITY UPDATE: denial of service via racoon null dereference
  - debian/patches/CVE-2015-4047.patch: check iph1->rmconf in
    src/racoon/gssapi.c.
  - CVE-2015-4047

Author: Marc Deslauriers
Revision Date: 2015-05-29 11:20:23 UTC

fake sync from Debian

Author: Marc Deslauriers
Revision Date: 2015-05-29 11:20:23 UTC

fake sync from Debian

Author: Noah Meyerhans
Revision Date: 2014-10-13 22:55:01 UTC

* Stop using hardening-wrapper
* Import patch for checkpoint xauth. (Closes: 650176)
* Bump standards version to 3.9.6 (no changes)

Author: Noah Meyerhans
Revision Date: 2014-10-13 22:55:01 UTC

* Stop using hardening-wrapper
* Import patch for checkpoint xauth. (Closes: 650176)
* Bump standards version to 3.9.6 (no changes)

Author: Matthias Klose
Revision Date: 2013-12-22 18:38:26 UTC

Update aclocal.m4 and configure for ppc64el.

Author: Matthias Klose
Revision Date: 2013-12-22 18:38:26 UTC

Update aclocal.m4 and configure for ppc64el.

Author: Matthias Klose
Revision Date: 2013-12-22 18:38:26 UTC

Update aclocal.m4 and configure for ppc64el.

Author: Matthias Klose
Revision Date: 2013-10-09 21:38:28 UTC

Update config.{guess,sub} for AArch64.

Author: Matthias Klose
Revision Date: 2013-10-09 21:38:28 UTC

Update config.{guess,sub} for AArch64.

Author: Matthias Klose
Revision Date: 2013-02-26 10:00:37 UTC

Fix build failure with GCC 4.8.

Author: Matthias Klose
Revision Date: 2013-02-26 10:00:37 UTC

Fix build failure with GCC 4.8.

Author: Colin Watson
Revision Date: 2012-10-03 09:27:21 UTC

Rebuild for new armel compiler default of ARMv5t.

Author: Robie Basak
Revision Date: 2012-03-09 19:01:04 UTC

* src/racoon/handler.c: fix phase 2 negotiation (LP: #947309).
  - Patch from upstream CVS revisions 1.31 and 1.32.
  - Fixes Vista and Windows 7 client support.

Author: Robie Basak
Revision Date: 2012-03-09 19:01:04 UTC

* src/racoon/handler.c: fix phase 2 negotiation (LP: #947309).
  - Patch from upstream CVS revisions 1.31 and 1.32.
  - Fixes Vista and Windows 7 client support.

Author: Adam Gandelman
Revision Date: 2011-10-25 11:12:16 UTC

debian/racoon-tool.pl: Backport a fix to correctly determine module
extension for 3.x kernels. (LP: #877891)

Author: Adam Gandelman
Revision Date: 2011-10-25 11:12:16 UTC

debian/racoon-tool.pl: Backport a fix to correctly determine module
extension for 3.x kernels. (LP: #877891)

Author: Adam Gandelman
Revision Date: 2011-10-25 18:13:06 UTC

debian/racoon-tool.pl: Backport a fix to correctly determine module
extension for 3.x kernels. (LP: #877891)

Author: Daniel Holbach
Revision Date: 2011-10-25 08:02:00 UTC

* Merge from Debian unstable (LP: #881097). Remaining changes:
   - debian/control: Depend on lsb-base
   - debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0
* Dropped changes:
   - Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate
     configure (Applied in debian via configure-pass-Wl-with-R.patch)
   - debian/{racoon.init, ipsec-tools.setkey.init}: Re-write LSB init script
     (Fixed in Debian)
* Apply new patchs which enable GNU/kfreebsd build.
  Thanks to Mats Erik Andersson. (Closes: #617859, #639970)
* Put removing of config.log at end of dh_clean to stop file changed
  problems during git-buildpackage
* Fix lots of minor lintian warnings.
* LSB-fy init scripts. (Closes: #629828)
* Fix spelling error in racoon.conf.5 manpage.
* Fix typo in libipsec_strerror.h (Closes: #642926)
* Updated racoon-tool.conf.5 manpage, minor regexps.
* New racoon-tool, Multi relation SPD code.
* debian/control: Add Vcs-* stanzas.
* Revert racoon-tool default SPD level to unique for comaptibilty and
  individual VPN reload speed.
* Temporarily fix gcc-4.6 build on most architectures. Need to contact
  upstream about proper use of autoconf and configure.ac for gcc-4.6 support
  as autoconf for this package appears to be brittle.
* Remove Requires-Stop $remotefs from init script. (Closes: #643006)
* Minor version to kick over reprepro
* Fix required-stop $remotefs with lintian override as otherwise causes
  dependency boot order loops sith sendsigs.
* Add racoon-tool match code for udp port 500 traffic.
* Update raccon-tool transport mode to ignore dup port 500 <-> 500 traffic.
* New Maintainer. Have conferred with Stefan Bauer.
* Changed to gcc-4.5 only as 4.6 does not support -R flag that ipsec-tools
  requires. (Closes: #625184)
* Marked automake, autoconf, and autoheader as Build-Conflicts.
* Added updated racoon-tool.pl and associated manpages.

Author: Adam Gandelman
Revision Date: 2011-10-24 12:08:24 UTC

* Merge from Debian unstable (LP: #881097). Remaining changes:
   - debian/control: Depend on lsb-base
   - debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0
* Dropped changes:
   - Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate
     configure (Applied in debian via configure-pass-Wl-with-R.patch)
   - debian/{racoon.init, ipsec-tools.setkey.init}: Re-write LSB init script
     (Fixed in Debian)

Author: Adam Gandelman
Revision Date: 2011-10-24 21:18:18 UTC

* Merge from Debian unstable (LP: #881097). Remaining changes:
   - debian/control: Depend on lsb-base
   - debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0
* Dropped changes:
   - Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate
     configure (Applied in debian via configure-pass-Wl-with-R.patch)
   - debian/{racoon.init, ipsec-tools.setkey.init}: Re-write LSB init script
     (Fixed in Debian)

Author: Serge Hallyn
Revision Date: 2011-06-06 08:06:28 UTC

* Merge from debian unstable (LP: #787114), remaining changes:
  - debian/control: Depend on lsb-base
* Dropped patches, applied upstream:
  - debian/patches/fix-address-already-in-use.patch
  - fix-several-formating-errors-in-setkey-manpage.patch
* debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0, bc the
  latter breaks in oneiric, claiming _FORTIFY_SOURCE is redefined.
* Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate
  configure.
* debian/ipsec-tools.setkey.init: Re-write LSB init script
* debian/racoon.init: LSB init script

Author: Lorenzo De Liso
Revision Date: 2010-11-24 22:37:15 UTC

[ Lorenzo De Liso ]
* Merge from debian unstable (LP: #681427), remaining changes:
  - debian/control: Depend on lsb-base
  - debian/ipsec-tools.setket.init: LSB init script.
  - debian/patches/fix-address-already-in-use.patch: Fix address already
    in use. (LP: #332606)
* Dropped changes:
  - debian/{control,rules}: add and enable hardening build for PIE
    (Debian bug 542731): fixed in debian
  - src/racoon/ipsec_doi.c: Patched to fix segfault when using
    ipv6 addresses in sainfo section of racoon.conf. Thanks to
    Fredrik Ljunggren. (LP: #374185): fixed upstream

[ Alessio Treglia ]
* Refresh Lorenzo's patch in order to make it apply cleanly,
  add patch header as per DEP-3 spec.
* Refresh fix-several-formating-errors-in-setkey-manpage.patch.

Author: Chuck Short
Revision Date: 2010-07-02 13:06:26 UTC

* Merge from debian/unstable:
  + debian/control:
    - Set Ubuntu maintainer address
    - Depend on lsb-base
  + debian/ipsec-tools.setket.init: LSB init script.
  + debian/{control,rules}: add and enable hardening build for PIE
    (Debian bug 542731)
  + src/racoon/ipsec_doi.c: Patched to fix segfault when using
    ipv6 addresses in sainfo section of racoon.conf. Thanks to
    Fredrik Ljunggren. (LP: #374185)
  + src/racoon/isakmp.c: Fix address already in use. (LP: #332606)

Author: Chuck Short
Revision Date: 2009-11-09 09:26:42 UTC

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

Author: Chuck Short
Revision Date: 2009-11-09 09:32:28 UTC

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

Author: Chuck Short
Revision Date: 2010-01-03 17:58:13 UTC

* Merge from debian testing. Remaining changes:
  - debian/control:
    - Set Ubuntu maintainer address.
    - Depend on lsb-base
  - debian/ipsec-tools.setkey.init: LSB init script.
  - Enable build with hardened options:
    - src/setkey/setkey.c: stop scanning stdin if fgets fails.
  - debian/{control,rules}: add and enable hardened build for PIE
    (Debian bug 542731).
  - src/racoon/ipsec_doi.c: Patched to fix segfault when using
    ipv6 addresses in sainfo section of racoon.conf. Thanks to
    Fredrik Ljunggren. (LP: #374185)
  - src/racoon/isakmp.c: Fix address already in use. (LP: #332606)

Author: Chuck Short
Revision Date: 2009-10-01 15:17:55 UTC

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

Author: Chuck Short
Revision Date: 2009-10-01 15:06:45 UTC

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

Author: Chuck Short
Revision Date: 2009-09-15 08:39:41 UTC

src/racoon/isakmp.c: Fix address already in use. (LP: #332606)

Author: Mathias Gug
Revision Date: 2008-06-18 17:34:55 UTC

* Merge from debian unstable, remaining changes:
  - debian/control:
    - Set Ubuntu maintainer address.
    - Depend on lsb-base.
  - debian/ipsec-tools.setkey.init:
    - LSB init script.
* Dropped:
  - debian/ipsec-tools.setkey.init:
    - restart method: stop then start.
    - Use {} instead of () in usage (bash_completion).
  - debian/racoon.init:
    - Create /var/run/racoon.
    - Use {} instead of () in usage (bash_completion).
* Bug fixed by this merge:
    - fix XAuth with U-FQDN (LP: #234166).
* Enable build with hardened options:
  - src/libipsec/policy_token.c: don't check return code of fwrite.
  - src/setkey/setkey.c: stop scanning stdin if fgets fails.

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:10:48 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:10:48 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:35:06 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:35:06 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Mathias Gug
Revision Date: 2008-06-18 17:34:55 UTC

* Merge from debian unstable, remaining changes:
  - debian/control:
    - Set Ubuntu maintainer address.
    - Depend on lsb-base.
  - debian/ipsec-tools.setkey.init:
    - LSB init script.
* Dropped:
  - debian/ipsec-tools.setkey.init:
    - restart method: stop then start.
    - Use {} instead of () in usage (bash_completion).
  - debian/racoon.init:
    - Create /var/run/racoon.
    - Use {} instead of () in usage (bash_completion).
* Bug fixed by this merge:
    - fix XAuth with U-FQDN (LP: #234166).
* Enable build with hardened options:
  - src/libipsec/policy_token.c: don't check return code of fwrite.
  - src/setkey/setkey.c: stop scanning stdin if fgets fails.

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:41:34 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:41:34 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Mathias Gug
Revision Date: 2007-11-26 11:57:18 UTC

* Merge from debian unstable, remaining changes:
  - debian/control:
    - Set Ubuntu maintainer address.
    - Depend on lsb-base.
  - debian/ipsec-tools.setkey.init:
    - LSB init script.
    - restart method: stop then start.
    - Use {} instead of () in usage (bash_completion).
  - debian/racoon.init:
    - Create /var/run/racoon.
    - Use {} instead of () in usage (bash_completion).
* Dropped:
  - src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets.
  - src/racoon/grabmyaddr.c: Define IFA_RTA and #include <linux/if_addr.h>.

Author: Kees Cook
Revision Date: 2008-09-02 12:09:59 UTC

* SECURITY UPDATE: memory leak can lead to denial of service.
* src/racoon/{algorithm,ipsec_doi,isakmp,isakmp_inf,proposal}.c:
  upstream fixes, thanks to Tomas Mraz.
* References
  CVE-2008-3651 CVE-2008-3652

Author: Kees Cook
Revision Date: 2008-09-02 12:09:59 UTC

* SECURITY UPDATE: memory leak can lead to denial of service.
* src/racoon/{algorithm,ipsec_doi,isakmp,isakmp_inf,proposal}.c:
  upstream fixes, thanks to Tomas Mraz.
* References
  CVE-2008-3651 CVE-2008-3652

Author: Patrick Hetu
Revision Date: 2007-07-10 10:59:25 UTC

fix racoon.init to work with bash_completion (LP: #88153)

Author: Kees Cook
Revision Date: 2008-09-02 12:11:55 UTC

* SECURITY UPDATE: memory leak can lead to denial of service.
* src/racoon/{algorithm,ipsec_doi,isakmp,isakmp_inf,proposal}.c:
  upstream fixes, thanks to Tomas Mraz.
* References
  CVE-2008-3651 CVE-2008-3652

Author: Kees Cook
Revision Date: 2008-09-02 12:11:55 UTC

* SECURITY UPDATE: memory leak can lead to denial of service.
* src/racoon/{algorithm,ipsec_doi,isakmp,isakmp_inf,proposal}.c:
  upstream fixes, thanks to Tomas Mraz.
* References
  CVE-2008-3651 CVE-2008-3652

Author: Kees Cook
Revision Date: 2007-04-04 13:46:40 UTC

* SECURITY UPDATE: remote ipsec tunnel disruption.
* src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets
  causing tunnels to be disconnected.
* References
  CVE-2007-1841

Author: Kees Cook
Revision Date: 2007-04-04 13:45:08 UTC

* SECURITY UPDATE: remote ipsec tunnel disruption.
* src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets
  causing tunnels to be disconnected.
* debian/rules: disabled template rebuild for security update.
* References
  CVE-2007-1841

Author: Kees Cook
Revision Date: 2007-04-04 13:45:08 UTC

* SECURITY UPDATE: remote ipsec tunnel disruption.
* src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets
  causing tunnels to be disconnected.
* debian/rules: disabled template rebuild for security update.
* References
  CVE-2007-1841

Author: Martin Pitt
Revision Date: 2006-06-30 10:21:40 UTC

* Merge from Debian. Only changes left:
  - LSB init script.
  - debian/racoon.init: Create /var/run/racoon.

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:46:40 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Marc Deslauriers
Revision Date: 2009-06-04 14:46:40 UTC

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Author: Martin Pitt
Revision Date: 2006-05-09 11:33:01 UTC

* Synchronize to Debian to bring in new upstream version.
  - UVF exception approved by Matt Zimmerman.
  - New version repairs racoon for road warrior setup (which broke in
    earlier Dapper versions, but worked fine in Breezy). Closes: LP#40386

Author: Kees Cook
Revision Date: 2007-04-04 13:40:41 UTC

* SECURITY UPDATE: remote ipsec tunnel disruption.
* src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets
  causing tunnels to be disconnected.
* References
  CVE-2007-1841

Author: LaMont Jones
Revision Date: 2005-09-28 18:33:52 UTC

LSB init scripts.

Author: Martin Pitt
Revision Date: 2005-12-01 11:48:24 UTC

* SECURITY UPDATE: Remote DoS.
* src/racoon/isakmp_agg.c: Fix NULL pointer dereference when the IKE peer
  does not send expected payloads. Only applies to aggressive mode.
* Patch backported from upstream CVS.
* CVE-2005-3732

Author: Ganesan Rajagopal
Revision Date: 2005-03-16 09:31:30 UTC

* Fix ISAKMP Header Parsing DoS bug (closes: #299716).
* Quote URL in README.Debian to avoid confusion (closes: #297179).

Author: Martin Pitt
Revision Date: 2005-12-01 11:51:21 UTC

* SECURITY UPDATE: Remote DoS.
* src/racoon/isakmp_agg.c: Fix NULL pointer dereference when the IKE peer
  does not send expected payloads. Only applies to aggressive mode.
* Patch backported from upstream CVS.
* CVE-2005-3732

Author: Matthew Grant
Revision Date: 2004-06-17 09:05:50 UTC

* Security upload. Updated to vesion 0.3.3 which fixes a "authentication
  bug in KAME's racoon" in eay_check_x509cert() (Bugtraq
  http://seclists.org/lists/bugtraq/2004/Jun/0219.html) (closes: #254663).
* Fix for "racooninit" in racoon-tool.conf. Applied patch submitted by
  Teddy Hogeborn <teddy@fukt.bth.se>. (closes: #249222)
* Stopped patching racoon.conf.5 manpage as the "Japlish" fix is now in the
  source tree.