diff --git a/strongswan.changes b/strongswan.changes
index 29e0fc0..6f027c2 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Oct 14 16:29:59 CEST 2008 - mt@suse.de
+
+- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8
+  which caused insertion of wrong source routes for destination
+  subnets having netwmasks not being a multiple of 8 bits.
+  Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
+  (bnc#435200)
+
+-------------------------------------------------------------------
+Fri Oct 10 08:08:35 CEST 2008 - mt@suse.de
+
+- Applied fix for a Denial-of-Service vulnerability where an
+  IKE_SA_INIT message with a KE payload containing zeroes only can
+  cause a crash of the IKEv2 charon daemon due to a NULL pointer
+  returned by the mpz_export() function of the GNU Multi Precision
+  (GMP) library. Thanks go to Mu Dynamics Research Labs for making
+  us aware of this problem. (bnc#435194)
+
 -------------------------------------------------------------------
 Thu Aug 28 14:31:49 CEST 2008 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index d81e8be..a3d389c 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -22,7 +22,7 @@ Name:           strongswan
 %define         upstream_version 4.2.6
 %define         strongswan_docdir %{_docdir}/%{name}
 Version:        4.2.6
-Release:        3
+Release:        12
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
@@ -40,6 +40,8 @@ Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.dif
 Patch2:         %{name}-%{upstream_version}.dif
 Patch3:         %{name}_update-dns-server.dif
+Patch4:         %{name}_DoS_changeset_r4345.diff
+Patch5:         %{name}_addr_in_subnet.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 %if 0%{?suse_version} >= 1030
@@ -137,6 +139,8 @@ Authors:
 %patch1 -p0
 %patch2 -p0
 %patch3 -p0
+%patch4 -p2
+%patch5 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -269,6 +273,19 @@ fi
 %{_mandir}/man8/starter.8*
 
 %changelog
+* Tue Oct 14 2008 mt@suse.de
+- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8
+  which caused insertion of wrong source routes for destination
+  subnets having netwmasks not being a multiple of 8 bits.
+  Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
+  (bnc#435200)
+* Fri Oct 10 2008 mt@suse.de
+- Applied fix for a Denial-of-Service vulnerability where an
+  IKE_SA_INIT message with a KE payload containing zeroes only can
+  cause a crash of the IKEv2 charon daemon due to a NULL pointer
+  returned by the mpz_export() function of the GNU Multi Precision
+  (GMP) library. Thanks go to Mu Dynamics Research Labs for making
+  us aware of this problem. (bnc#435194)
 * Thu Aug 28 2008 mt@suse.de
 - Fixed to use --enable-curl instead of --enable-http as before
 - Enabled the OpenSSL crypto plugin in the spec file.
diff --git a/strongswan_DoS_changeset_r4345.diff b/strongswan_DoS_changeset_r4345.diff
new file mode 100644
index 0000000..0053f06
--- /dev/null
+++ b/strongswan_DoS_changeset_r4345.diff
@@ -0,0 +1,103 @@
+Index: /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+===================================================================
+--- /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c (revision 4317)
++++ /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c (revision 4345)
+@@ -94,9 +94,13 @@
+ 	mpz_powm(c, m, this->e, this->n);
+ 
+-    encrypted.len = this->k;
+-    encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
++	encrypted.len = this->k;
++	encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
++	if (encrypted.ptr == NULL)
++	{
++		encrypted.len = 0;
++	}
+ 	
+ 	mpz_clear(c);
+-	mpz_clear(m);	
++	mpz_clear(m);
+ 	
+ 	return encrypted;
+Index: /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+===================================================================
+--- /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c (revision 3806)
++++ /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c (revision 4345)
+@@ -344,5 +344,5 @@
+ 	 */	
+ 	mpz_t g;
+-
++	
+ 	/**
+ 	 * My private value.
+@@ -354,5 +354,5 @@
+ 	 */
+ 	mpz_t ya;
+-
++	
+ 	/**
+ 	 * Other public value.
+@@ -374,5 +374,5 @@
+ 	 */
+ 	size_t p_len;
+-
++	
+ 	/**
+ 	 * True if shared secret is computed and stored in my_public_value.
+@@ -441,5 +441,9 @@
+ 	}
+ 	value->len = this->p_len;
+-    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
++	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
++	if (value->ptr == NULL)
++	{
++		return FAILED;
++	}
+ 	return SUCCESS;
+ }
+@@ -452,4 +456,8 @@
+ 	value->len = this->p_len;
+     value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
++    if (value->ptr == NULL)
++    {
++    	value->len = 0;
++    }
+ }
+ 
+@@ -464,5 +472,9 @@
+ 	}
+ 	secret->len = this->p_len;
+-    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
++	secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
++	if (secret->ptr == NULL)
++	{
++		return FAILED;
++	}
+ 	return SUCCESS;
+ }
+Index: /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+===================================================================
+--- /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c (revision 4317)
++++ /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c (revision 4345)
+@@ -192,4 +192,8 @@
+ 	decrypted.len = this->k;
+ 	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
++	if (decrypted.ptr == NULL)
++	{
++		decrypted.len = 0;
++	}
+ 	
+ 	mpz_clear_randomized(t1);
+Index: /trunk/src/openac/openac.c
+===================================================================
+--- /trunk/src/openac/openac.c (revision 4318)
++++ /trunk/src/openac/openac.c (revision 4345)
+@@ -104,4 +104,8 @@
+ 	chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
+ 	chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
++	if (chunk.ptr == NULL)
++	{
++		chunk.len = 0;
++	}
+ 	return chunk;
+ }
diff --git a/strongswan_addr_in_subnet.dif b/strongswan_addr_in_subnet.dif
new file mode 100644
index 0000000..a282b36
--- /dev/null
+++ b/strongswan_addr_in_subnet.dif
@@ -0,0 +1,43 @@
+--- src/charon/kernel/kernel_interface.c
++++ src/charon/kernel/kernel_interface.c	2008/10/14 14:10:13
+@@ -1643,26 +1643,29 @@ static status_t manage_rule(private_kern
+  */
+ static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len)
+ {
+-	int bit, byte;
++	static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe };
++	int byte = 0;
+ 
+-	if (addr.len != net.len)
++	if (addr.len != net.len || net_len > 8 * net.len )
+ 	{
+ 		return FALSE;
+ 	}
+-	/* scan through all bits, beginning in the front */
+-	for (byte = 0; byte < addr.len; byte++)
++
++	/* scan through all bytes in network order */
++	while (net_len > 0)
+ 	{
+-		for (bit = 7; bit >= 0; bit--)
++		if (net_len < 8)
+ 		{
+-			/* check if bits are equal (or we reached the end of the net) */
+-			if (bit + byte * 8 > net_len)
+-			{
+-				return TRUE;
+-			}
+-			if (((1<<bit) & addr.ptr[byte]) != ((1<<bit) & net.ptr[byte]))
++			return (mask[net_len] & addr.ptr[byte]) == (mask[net_len] & net.ptr[byte]);
++		}
++		else
++		{
++			if (addr.ptr[byte] != net.ptr[byte])
+ 			{
+ 				return FALSE;
+ 			}
++			byte++;
++			net_len -= 8;
+ 		}
+ 	}
+ 	return TRUE;