Upstream NetBSD has reviewed the proposed code fix and proposed a slight modification which is now committed in their repository as add-on patch.
The first draft of the patch above has been updated with the proposed changes. In addition, some limited debugging has been added to support admins in their root cause analysis, if VPN clients are blackballed due to the stricter fragment checks introduced by NetBSD's CVE patch. Attached is the updated patch. PPA https://launchpad.net/~rdratlos/+archive/ubuntu/racoon has been updated accordingly and works fine. ** Patch added: "Updated patch for NetBSD CVE Patch" https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+attachment/5196686/+files/0001-Fix-isakmp-fragmentation-bug-in-CVE-2016-10396-patch.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1793028 Title: NetBSD CVE Patch Regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/1793028/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs