** Tags removed: regression-update
** Tags added: regression-release
** Package changed: ipsec-tools (Debian) => debian
** Changed in: debian
Importance: Unknown => Undecided
** Changed in: debian
Status: Fix Released => New
** Changed in: debian
Remote watch: Debian Bug tracker
Thanks for the clarification Marc, it is on our list and tagged to be
sooner, but atm I see no one with a few cycles left so it might be a few
days more.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
It looks like we inherited the bad patch from debian, as we haven't
fixed this CVE ourselves. This isn't a post-release security update
regression.
Someone needs to prepare an SRU to fix this issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I should have read it more carefully, 2nd pass of reading makes it better.
The CVE is obviously fixed but it introduced a regression.
Still, having Marc and Jamie subscribed is the right next step to
evaluate a re-fix through the -security pocket.
** Tags added: regression-update
--
You
The security team lists that [1] CVE as fixed already.
I don't see it in [2] that is supposed to fix it thou.
I subscribed Marc and Jamie to help us sorting out if this is:
a) fixed in a different way
b) mistriaged to be fixed but actually still an issue
[1]:
** Changed in: ipsec-tools (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage notifications about
Upstream bug report: http://gnats.netbsd.org/cgi-bin/query-pr-
single.pl?number=53646
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage
Upstream bug report: http://gnats.netbsd.org/cgi-bin/query-pr-
single.pl?number=53646
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage
** Changed in: ipsec-tools (Ubuntu)
Status: Incomplete => Triaged
** Changed in: ipsec-tools (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
** Changed in: ipsec-tools (Ubuntu)
Status: Incomplete => Triaged
** Changed in: ipsec-tools (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to ipsec-tools in Ubuntu.
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage notifications about this bug go to:
Upstream NetBSD has reviewed the proposed code fix and proposed a slight
modification which is now committed in their repository as add-on patch.
The first draft of the patch above has been updated with the proposed
changes. In addition, some limited debugging has been added to support
admins in
The attachment "0001-Fix-isakmp-fragmentation-bug-in-
CVE-2016-10396-patch.patch" seems to be a patch. If it isn't, please
remove the "patch" flag from the attachment, remove the "patch" tag, and
if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message
I performed some analysis and debugging of the isakmp fragmentaion
error. The root cause seems to be a logical error in upstream
CVE-2016-10396 patch. When applying this patch, racoon server prevents
from DoS but does not recognize a completed reassembly of a isakmp
fragemnt chain. This forces
I would offer some support to better analyse the bug. The new log
messages plus debug in racoon do not help much. Maybe dumping network
traffic with wireshark could help, but traffic is encrypted.
so I need some guidance on this.
--
You received this bug notification because you are a member of
Quote from upstream bug report discussion:
I agree there's something wrong with the code, although I would also
like to have ways of reproducing this. Working on this bug right now is
kind of a shot in the dark, and it seems numerous people here have
worked on PoC or have real world
>From the commit history at
https://github.com/NetBSD/src/commits/trunk/crypto/dist/ipsec-
tools/src/racoon/isakmp_frag.c it looks like debian (and ubuntu) has the
latest changes. It's also not clear to me if SuSE reworked that patch,
or also just took the latest version.
What other pointers do
>From the commit history at
https://github.com/NetBSD/src/commits/trunk/crypto/dist/ipsec-
tools/src/racoon/isakmp_frag.c it looks like debian (and ubuntu) has the
latest changes. It's also not clear to me if SuSE reworked that patch,
or also just took the latest version.
What other pointers do
Upstream bug report: http://gnats.netbsd.org/51682
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage notifications about this bug go to:
Upstream bug report: http://gnats.netbsd.org/51682
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to ipsec-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage notifications about this bug
** Bug watch added: Debian Bug tracker #867986
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
** Also affects: ipsec-tools (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
Importance: Unknown
Status: Unknown
--
You received this bug notification
** Bug watch added: Debian Bug tracker #867986
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
** Also affects: ipsec-tools (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
Importance: Unknown
Status: Unknown
--
You received this bug notification
I've stored a "patched" package in Ubuntu launchpad that fixes this
issue but again contains vulnerability CVE-2016-10396.
https://launchpad.net/~rdratlos/+archive/ubuntu/racoon
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10396
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793028
Title:
NetBSD CVE Patch Regression
To manage notifications about this
24 matches
Mail list logo
