diff --git a/strongswan-4.x.x._swapped_ts_check.patch b/strongswan-4.x.x._swapped_ts_check.patch
new file mode 100644
index 0000000..e903411
--- /dev/null
+++ b/strongswan-4.x.x._swapped_ts_check.patch
@@ -0,0 +1,24 @@
+commit 0a3ca29021ffe389ae4f7400ee05f42dcf384d6b
+Author: Martin Willi <martin@strongswan.org>
+Date:   Tue May 12 17:13:09 2009 +0200
+
+    fixed cleanup of traffic selector lists
+
+diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
+index 382266f..6bf9e9d 100644
+--- a/src/charon/sa/tasks/child_create.c
++++ b/src/charon/sa/tasks/child_create.c
+@@ -1126,11 +1126,11 @@ static void destroy(private_child_create_t *this)
+ {
+ 	chunk_free(&this->my_nonce);
+ 	chunk_free(&this->other_nonce);
+-	if (this->tsi)
++	if (this->tsr)
+ 	{
+ 		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+ 	}
+-	if (this->tsr)
++	if (this->tsi)
+ 	{
+ 		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+ 	}
diff --git a/strongswan-4.x.x_invalid_ike_state.patch b/strongswan-4.x.x_invalid_ike_state.patch
new file mode 100644
index 0000000..5c5645d
--- /dev/null
+++ b/strongswan-4.x.x_invalid_ike_state.patch
@@ -0,0 +1,22 @@
+commit a627e31f463367d83be5814aff8ddbceb725f4ed
+Author: Martin Willi <martin@strongswan.org>
+Date:   Thu May 7 15:53:45 2009 +0200
+
+    properly delete IKE_SA if IKE_SA_INIT processing failed
+
+diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
+index b8e8213..126011e 100644
+--- a/src/charon/sa/ike_sa.c
++++ b/src/charon/sa/ike_sa.c
+@@ -1424,6 +1424,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
+ 			 exchange_type_names, message->get_exchange_type(message),
+ 			 message->get_request(message) ? "request" : "response",
+ 			 message->get_message_id(message));
++		
++		if (this->state == IKE_CREATED)
++		{	/* invalid initiation attempt, close SA */
++			return DESTROY_ME;
++		}
+ 		return status;
+ 	}
+ 	else
diff --git a/strongswan.changes b/strongswan.changes
index 6339e96..19942ac 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Jun  2 09:56:16 CEST 2009 - mt@suse.de
+
+- Applied fix for a Denial-of-Service vulnerability where receiving
+  a malformed IKE_SA_INIT request leaves an incomplete state which
+  causes a crash of the IKEv2 charon while dereferencing a NULL
+  pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742).
+- Applied fix for a Denial-of-Service vulnerability where receiving
+  a malformed IKE_AUTH request with either a missing TSi or TSr
+  traffic selector payload causes a crash of the IKEv2 charon while
+  dereferencing a NULL pointer because the NULL pointer checks of
+  TSi and TSr before destruction were erroneously swapped
+  (bnc#507742).
+
 -------------------------------------------------------------------
 Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index dbfb38a..cc0141b 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -22,7 +22,7 @@ Name:           strongswan
 %define         upstream_version 4.2.14
 %define         strongswan_docdir %{_docdir}/%{name}
 Version:        4.2.14
-Release:        1
+Release:        2
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
@@ -39,6 +39,8 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.dif
 Patch2:         %{name}_update-dns-server.dif
+Patch3:         %{name}-4.x.x_invalid_ike_state.patch
+Patch4:         %{name}-4.x.x._swapped_ts_check.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 %if 0%{?suse_version} >= 1030
@@ -135,6 +137,8 @@ Authors:
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
+%patch3 -p1
+%patch4 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -267,6 +271,17 @@ fi
 %{_mandir}/man8/starter.8*
 
 %changelog
+* Tue Jun 02 2009 mt@suse.de
+- Applied fix for a Denial-of-Service vulnerability where receiving
+  a malformed IKE_SA_INIT request leaves an incomplete state which
+  causes a crash of the IKEv2 charon while dereferencing a NULL
+  pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742).
+- Applied fix for a Denial-of-Service vulnerability where receiving
+  a malformed IKE_AUTH request with either a missing TSi or TSr
+  traffic selector payload causes a crash of the IKEv2 charon while
+  dereferencing a NULL pointer because the NULL pointer checks of
+  TSi and TSr before destruction were erroneously swapped
+  (bnc#507742).
 * Tue Mar 31 2009 mt@suse.de
 - Updated to strongSwan 4.2.14 release that fixes a grave DPD
   denial of service vulnerability registered as CVE-2009-0790,